PowerProtect Data Manager Security: How To Create CSR For CA Signed Custom Certificate

1. Connect to PowerProtect Data Manager using ssh.

2. Change the directory to $HOME as in:

   cd  /home/admin

3. Create a folder for the new certificate info:

   mkdir /home/admin/certinfo
   cd /home/admin/certinfo
   

4. Create a new custom keystore "ppdm.p12" and generate an RSA 2048 key pair.
   The key pair consists of public and private keys for the request file that is generated. (This step is required in order to create CSR for custom CA certificates. If using an existing keystore, modify the -keystore name appropriately. The name of the keystore is arbitrary.

   Notes:

   1. "Alias," "dname," "keystore," "startdate" (Optional), and "validity" (Optional) are all examples and may vary by site. Do not change any other parameters in the keytool command.

      Alias - the name of the record in the keystore that contains this data.
      dname - this info is displayed when viewing the certificate from a
      browser.
      CN - this value must use the FQDN for the PowerProtect Data Manager server
      CN=ppdm.customer.com,
      The values for OU(Organizational Unit), O(Organization), L(Location),
      S(State) and C(Country) are arbitrary and have no bearing on the certificate
      functionality.
      OU=Department Name,O=Company Name,L=Austin,S=TexasC=US
      startdate - This is the date when the certificate becomes valid.
      validity - This is the number of days after the startdate when the 
      certificate will expire.

   2. It does not matter where the keystore is located on the file system. Be sure to preserve the keystore password.

   3. The SubjectAlternativeName extension is required to avoid this browser error:

      NET::ERR_CERT_COMMON_NAME_INVALID

   4. If using more than one "dns:" entry for SubjectAlternativeName, use a comma-separated list after the "SubjectAlternativeName=" as in the command below. Each acceptable PowerProtect Data Manager server name entry has this format:

      dns:<server name>

      The URL used to access the PowerProtect Data Manager server must match a server name in the SubjectAlternativeName list.

      In the example below, these URLs would be acceptable for the certificate to be requested:

      "https://ppdm.customer.com"
      "https://ppdm"

      *Do not specify names in the SubjectAlternativeName field that do not resolve in DNS to the current PowerProtect Data Manager server. PowerProtect Data Manager server certificates should be specific to one PowerProtect Data Manager server.

      Keytool example command:

      keytool -genkeypair -alias ppdm_key -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=ppdm.customer.com, OU=Department Name, O=Company Name,L=Austin, S=Texas C=US" -ext "SubjectAlternativeName=dns:ppdm.customer.com,dns:ppdm" -startdate "2022/02/17 00:00:00" -validity 1825 -storetype PKCS12 -keystore ppdm.p12

      Do not change the values supplied for -keyalg, -sigalg and -storetype.
      The command prompts to create a password for the custom keystore that is being created:

      Enter keystore password: *******           Re-enter new password: *******

5. Create Certificate Signing Request (CSR) "ppdm.csr" using the alias from the keytool command in step (4):

   keytool -certreq -alias ppdm_key -keystore ppdm.p12 -ext "SubjectAlternativeName=dns:ppdm.customer.com,dns:ppdm" -file ppdm.csr

6. Send the "ppdm.csr" file to the approved CA to sign. Ask the CA to return certificates in individual files that are in Base-64 encoded X.509 format. For example, a Microsoft Windows CA exports Base-64 encoded X.509 with .cer extension by default.

   At a minimum, the CA may return two signed certificates:

   1. One certificate is the root CA. The CA certificate file can be have any name. But for our example, use the filename, root_ca.pem in keeping with file naming on the PowerProtect Data Manager server. For certificate replacement through the UI, the file extension does not matter.

   2. The other certificate is the signed custom certificate for the PowerProtect Data Manager host. (This example uses the filename, ppdmserver.pem.)

      In addition to the above certificates, the CA may return additional certificates for any internal intermediate CAs in the environment. (This example uses the filename, subordinate_ca.pem.)

      To summarize for this example, the CA returned the following three .pem files:

      root_ca.pem
      subordinate_ca.pem
      ppdmserver.pem

      If the chain is returned in one file, open each certificate on a Windows machine. From the Details tab, use the 'Copy to File' button to save a copy in Base-64 encoded X.509 format.

7. Export the PowerProtect Data Manager server key to a file as "ppdmserverkey.rsa":

   openssl pkcs12 -in ppdm.p12 -nocerts -nodes -out ppdmserverkey.rsa

8. Convert key file "ppdmserverkey.rsa" from RSA format to pem(Base-64 encoded X.509). This command example generates the output file "ppdmserverkey.pem":

   openssl rsa -in ppdmserverkey.rsa -out ppdmserverkey.pem

9. Import the certificate and private key through the web UI. From the example steps above, those would be "ppdmserver.pem" ** and "ppdmserverkey.pem" respectively.

10. Restart PowerProtect Data Manager 'nginx' web service:

    systemctl restart nginx

**Starting in version 19.16, import of the certificate chain is required with the following requirements:
a) The PowerProtect Data Manager certificate's expiration date must be equal to or less than that of the certificate from the CA server that processed the .csr.
b) If there's one or more intermediate CA, certificates from the parents in the hierarchy must have expiration dates equal to or longer than the parent-signer CA.
c) The root CA must be a self-signed certificate.
d) The public certificate imported into PowerProtect Data Manager must be a chain with the complete hierarchy.
The easiest way to create the required chain is to concatenate the certificates into one file starting the the PowerProtect Data Manager certificate first and root CA last.  The resulting certificate chain file will be a list of certificates in reverse hierarchical order as in the following example.

admin@ppdm:~>cat ppdmserver.pem>>chain.pem
admin@ppdm:~>cat subordinate_ca.pem>>chain.pem
admin@ppdm:~>cat root_ca.pem>>chain.pem

Import chain.pem as the public certificate.