PowerScale OneFS: Replace or Renew the SSL Certificate for the Isilon Web Administration

Summary: Steps to renew or replace the SSL Certificate for the OneFS web administration interface.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Note: The commands in this article are intended ONLY for use with an Isilon Cluster. It is not intended for use with an external Linux server.

 

Note: Isilon does not auto-renew the certificate. It must be renewed manually by following the steps in this article in an Isilon Cluster.

 

Introduction

This article explains how to replace or renew the Secure Sockets Layer (SSL) certificate for the Isilon web administration interface. The following procedures include options to complete a self-signed certificate replacement or renewal, or to request an SSL replacement or renewal from a Certificate Authority (CA).

Requisite tools or skills

To complete this task, you must have the URL for accessing the Isilon web administration interface. (The examples in this article use https://isilon.example.com:8080/.) You should also be comfortable running commands from the command line.

 

Pre-requisites

Reference information
The following lists include the default locations for the server.crt and server.key files. In the procedures that follow, update the steps to match this information for the version of OneFS that is installed.

Obtain the list of certificates from running the below command:

isi certificate server list 

    Procedure

    Create a local working directory.

    mkdir /ifs/local
cd /ifs/local

    Verify if you want to renew an existing certificate or if you want to create a certificate from scratch.

    • Renew an existing self-signed Certificate.
    This creates a renewal certificate that is based on the existing (stock) ssl.key. Run the following command to create a two-year certificate. Increase or decrease the value for -days to generate a certificate with a different expiration date:
    730 = 2yrs
    1825 = 5yr
    3650 = 10yr 
    cp /usr/local/apache2/conf/ssl.key/server.key ./ ; openssl req -new -days 730 -nodes -x509 -key server.key -out server.crt
    Answer the system prompts to complete the process to generate a self-signed SSL certificate, entering the appropriate information for your organization.

    For example: 
    Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Isilon
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:isilon.example.com
Email Address []:support@example.com
    When finished entering the information, the server.csr and server.key files appear in the /ifs/local directory.
    • (Optional) Verify the integrity and attributes of the certificate:
    openssl x509 -text -noout -in server.crt
    Go to Add the certificate to the cluster section of this article after this step.
    • Create a certificate and key.
    This procedure shows how to create a new private key and SSL certificate. Run the following command to create a RSA 2048-bit private key: 
    openssl genrsa -out server.key 2048
    Create a certificate signing request: 
    openssl req -new -nodes -key server.key -out server.csr
    Enter the appropriate information for your organization. 
    Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    • (Optional) Generate a CSR for a Certificate Authority which includes Subject-Alternative-Names. If additional DNS is needed, it can be added by using a comma (,)
    For example: DNS:example.com,DNS:www.example.com 
    openssl req -new -nodes -key server.key -out server.csr -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com"))
    When prompted, type the information to be incorporated into the certificate request. When finished entering the information, the server.csr and server.key files appear in the /ifs/local directory.

    Verify if you want to self-sign the certificate or get it signed by a Certificate Authority (CA).
    • Self-Sign the SSL Certificate.
    To self-sign the Certificate with the key, run the below command which creates a new self-signed certificate which is valid for 2 years: 
    openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
    Verify that the Key matches the certificate, both the commands should return the same md5 value: 
    openssl x509 -noout -modulus -in server.crt | openssl md5           
openssl rsa -noout -modulus -in server.key | openssl md5
    Go to Add the certificate to the cluster section of this article after this step.
    • Get a CA to Sign the Certificate.
    If a CA is signing the certificate, ensure that the new SSL certificate is in x509 format, and includes the entire certificate trust chain.

    It is common for CA to return the new SSL certificate, the intermediate certificate, and the root certificate in separate files.

    If the CA has done this, you MUST manually create the PEM formatted certificate.

    Order matters when creating the PEM formatted certificate. Your certificate must be at the top of the file, followed by the intermediate certificates, and the root certificate must be at the bottom.

    Here is an example of what the PEM formatted file looks like: 
    -----BEGIN CERTIFICATE-----
<The contents of your new TLS certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<The contents of the intermediate certificate>
<Repeat as necessary for every intermediate certificate provided by your CA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<The contents of the root certificate file>
-----END CERTIFICATE-----
    A simple way to create the PEM formatted file from the CLI is to cat the files (remember, the order of the files matter): 
    cat CA_signed.crt intermediate.crt root.crt > onefs_pem_formatted.crt
    Copy the onefs_pem_formatted.crt file to /ifs/local directory and rename it to server.crt.
     
    Note: If a .cer file is received, rename it to a .crt extension.

     

    • (Optional) Verify the integrity and attributes of the certificate:
    openssl x509 -text -noout -in server.crt

    Add the certificate to the cluster:

    1. Import the new certificate and key into the system:
    isi certificate server import /ifs/local/server.crt /ifs/local/server.key
    1. Verify that the certificate is imported successfully:
    isi certificate server list -v
    1. Set the imported certificate as default:
      isi certificate settings modify --default-https-certificate=<id_of_cert_to_set_as_default>
      1. Use the below command to confirm that the imported certificate is being used as default by verifying status of "Default HTTPS Certificate":
      isi certificate settings view
      1. If there is an unused or outdated cert, delete this with the command:
      isi certificate server delete --id=<id_of_cert_to_delete>
      1. View the new imported cert with the command:
      isi certificate server view --id=<id_of_cert>

      Verification

      There are two methods for verifying the updated SSL certificate.

      • From a web browser:
      1. Browse to https://<common name>:8080, where <common name> is the hostname that is used to access the Isilon web administration interface. For example, isilon.example.com
      2. View the security details for the web page. The steps to do this vary by browser. In some browsers, click the padlock icon in the address bar to view the security details for the web page.
      3. In the security details for the web page, verify that the subject line and other details are correct. An output similar to the following is displayed where <yourstate>, <yourcity>, and <your company> are the state, city, and name of your organization:
      Subject: C=US, ST=<yourstate>, L=<yourcity>, O=<yourcompany>, CN=isilon.example.com/emailAddress=support@example.com
      • From a command line:
      1. Open an SSH connection on any node in the cluster and log in using the "root" account.
      2. Run the following command:
      echo QUIT | openssl s_client -connect localhost:8080
      1. An output similar to the following is displayed, where <yourstate>, <yourcity>, and <your company> are the state, city, and name of your organization:
      Subject: C=US, ST=<yourstate>, L=<yourcity>, O=<yourcompany>, CN=isilon.example.com/emailAddress=support@example.com

      Additional Information

      Note: Event alert also triggers on Isilon as seen below: 
      SW_CERTIFICATE_EXPIRING: X.509 certificate default is nearing expiration:

Event: 400170001
Certificate 'default' in '**' store is nearing expiration:

      Affected Products

      PowerScale OneFS

      Products

      Isilon
      Article Properties
      Article Number: 000157711
      Article Type: How To
      Last Modified: 17 Sept 2025
      Version:  20
      Find answers to your questions from other Dell users
      Support Services
      Check if your device is covered by Support Services.