Data Domain: How to import externally signed certificates on port 3009

The system can use imported host and CA certificates for the following system management services running on ports 3009 and 3013:

• Management communication between the DD system and DDMC
• Replication
• Communication between the active and standby nodes of an HA pair
• REST API handling

The following prerequisites apply:

Host certificate prerequisites:

• System passphrase must be set on DDR/DDVE/DD-HA.
• The certificate must be valid (not expired or with validity dates in the future)
• Host certificate SHOULD:
  • Include "TLS Web Server Authentication, TLS Web Client Authentication" under Extended Key Usage.
  • NOT contain "CA:TRUE" under x509v3 Basic Constraints.
  • Include the Hostname of DDR/DDVE under Subject-Alternative-Name, common-name, or both in the subject line.
  • Include (If there is HA)
    • HA system-name under subject-alternative-name, common-name, or both in subject line.
    • Individual node’s hostnames under subject-alternative-name.
• The host certificate is recommended to include Authority Key Identifier (AKID) under "X509v3 extensions."
• Only ONE host certificate can be imported.
• Same Host certificate can be used for PowerProtect DD System Manager (UI or DDSM).

CA certificate prerequisites:

• CA certificate must be valid (not expired or with validity dates in the future).
• It should be a CA certificate, that is, it should contain the necessary attributes to indicate it is an Authority that can issue client and server certificates.
  • Like "CA:TRUE" under x509v3 Basic Constrains or.
  • "keyCertSign" under keyUsage or
  • Self-signed (This is if there is Root-CA).
• If a CA certificate is being imported by pasting PEM contents, that is, adminaccess certificate import ca application system-management, only one CA certificate can be pasted. If multiple are provided, DD will error out the operation.
• If a CA certificate is being imported using file that is, adminaccess certificate import ca application system-management file <filename>, the file should not contain more than one CA certificate. If multiple are provided, DD will error out the operation.
• CA certificate should have the purpose to issue Certificate Revocation Lists (CRL).
• Root-CA certificate is recommended to contain Subject Key Identifier under x509v3 extensions.Intermediate-CA certificate(s) are recommended to contain Subject-Key-Identifier (SKID) and Authority-Key-Identifier (AKID) under x509 v3 extensions.

CLI import procedure:

Steps to import PEM file for system-management:

1. Generate the CSR on the DD system or Dell APEX Protection Storage instance, setting the values as required. The default CSR is not sufficient.

   NOTE: When customizing information in the CSR, the key must be at least 2048 bits long, Include "all" (both "clientAuth" and "serverAuth") in Extended-key-usage, and include the DD hostname under subject-alternative-name or common-name in the subject line.

   Example:

   # adminaccess certificate cert-signing-request generate key-strength 2048bit country US state California city Irvine org-name Corp common-name abc subject-alt-name "DNS:abc.com,they.singing.org,IP:10.x.x.x, IP:10.x.x.x" extended-key-usage all
   Certificate signing request (CSR) successfully generated at /ddvar/certificates/CertificateSigningRequest.csr
   With following parameters:
      Key Strength       : 2048
      Country            : US
      State              : California
      City               : Irvine
      Organization Name  : Corp
      Common Name        : abc
      Basic Constraints  :
      Key Usage          :
      Extended Key Usage : TLS Web Client Authentication, TLS Web Server Authentication
      Subject Alt Name   : DNS:abccom,they.singing.org,IP Address:10.x.x.x, IP:10.x.x.x

2. Sign the CSR with the CA, and verify the subject-alternative-name is copied over during the signing.

3. Obtain the signed certificate in X.509 PEM format from the Certificate Authority.

4. Obtain the CA certificate in X.509 PEM format.

5. Paste the contents of the certificates, or copy the certificate files to /ddr/var/certificates/.

6. When copying the PEM files to /ddr/var/certificates/:

   1. Run the below command for each CA certificate file.

      adminaccess certificate import ca application system-management file <filename>

   2. Run the below command to import the host certificate.

      adminaccess certificate import host application system-management file <filename>

Steps to import PKCS12 file for system-management:

Case-1: PKCS12 contains only an encrypted private-key (with PBE-SHA1-3DES) and a signed certificate. CA chain is not included.

1. Use the required internal tools to generate a private-key and CSR, and sign the certificate.

2. Generate the PKCS12 file with only the host-certificate and the host private-key.

   Note: Do not include any CA certificates that issued the host-certificate in PKCS12 file, those are available in X.509 PEM format.

3. Copy the PKCS12 file to /ddr/var/certificates/.

4. Copy the CA certificate to /ddr/var/certificates/.

5. Import the CA certificate(s) that issued the host-certificate first by running the below command for each CA certificate file.

   adminaccess certificate import ca application system-management file <filename>

6. Once CA certificates are imported, import the host-certificate in PKCS12 using the below command.

   adminaccess certificate import host application system-management file <filename>

Case-2: PKCS12 contains an encrypted private-key (with PBE-SHA1-3DES), signed certificate and CA chain.

1. Use the required internal tools to generate a private-key and CSR, and sign the certificate.

2. Generate the PKCS12 file with only the host-certificate and the host private-key.

   Note: Do not include any CA certificates that issued the host-certificate, those are available in X.509 PEM format.  Each CA certificate in the chain up to the Root-CA is in the X.509 PEM.

3. Copy the PKCS12 file to /ddr/var/certificates/.

4. Run the below command to import the host certificate.

   adminaccess certificate import host application system-management file <filename>

See the below KB article to import the certificates over UI:
Data Domain - Managing host certificates for HTTP and HTTPS