That does sound weird - at the point of initial install all Data Domain systems should generate a self signed host and CA certificate. These should not be removed/modified during an upgrade and are only regenerated if specifically requested.
Under DDOS 5.x/DDMC 1.x you can regenerate the host certificate as follows:
- Log into the DD CLI
- Enter 'se' mode:
# system show serialno
[system serial number displayed]
# priv set se
[password prompt - enter serial number from above]
Note that on systems using encryption and/or retention lock the above may prompt for credentials of a user with role of security.
Note that this will only regenerate the host certificate if the hostname of the system is anything other than 'localhost'. If the hostname is localhost it will regenerate the host and CA certificates. Under DDOS 5.7 there is no command to force regeneration of the CA certificate.
Under DDOS 6.x/DDMC 2.x you can run similar commands from 'se' mode, i.e.:
# adminaccess certificate generate self-signed-cert regenerate-ca <= REGENERATE HOST AND CA CERTIFICATE
Note that if you regenerate the CA certificate you will break established mutual trust with all other systems so will need to re-establish this manually (for example refreshing certificates in DDMC or on other DDRs as necessary).
Please have a look at the article I posted about changes to SHA1 in Jan 2017 as this has more information on the above.
James_Ford
30 Posts
0
December 22nd, 2016 05:00
Hi Neil,
That does sound weird - at the point of initial install all Data Domain systems should generate a self signed host and CA certificate. These should not be removed/modified during an upgrade and are only regenerated if specifically requested.
Under DDOS 5.x/DDMC 1.x you can regenerate the host certificate as follows:
- Log into the DD CLI
- Enter 'se' mode:
# system show serialno
[system serial number displayed]
# priv set se
[password prompt - enter serial number from above]
Note that on systems using encryption and/or retention lock the above may prompt for credentials of a user with role of security.
- Regenerate the host certificate:
# adminaccess certificate generate self-signed-cert
Note that this will only regenerate the host certificate if the hostname of the system is anything other than 'localhost'. If the hostname is localhost it will regenerate the host and CA certificates. Under DDOS 5.7 there is no command to force regeneration of the CA certificate.
Under DDOS 6.x/DDMC 2.x you can run similar commands from 'se' mode, i.e.:
# adminaccess certificate generate self-signed-cert <= REGENERATE HOST CERTIFICATE
# adminaccess certificate generate self-signed-cert regenerate-ca <= REGENERATE HOST AND CA CERTIFICATE
Note that if you regenerate the CA certificate you will break established mutual trust with all other systems so will need to re-establish this manually (for example refreshing certificates in DDMC or on other DDRs as necessary).
Please have a look at the article I posted about changes to SHA1 in Jan 2017 as this has more information on the above.
Thanks, James