PowerFlex How to use OpenSSL to generate a CSR and add the SSL certificate

1. SSH to the PowerFlex Manager appliance and sudo to root:

   sudo su -

2. Change to the root directory:

   cd /root/

3. Make a directory called newcerts:

   mkdir newcerts

4. Change to the new directory you created:

   cd newcerts

5. Create a CNF file:

   vi cert.cnf

   1. This file contains the fields needed for the certificate like distinguished name fields and alt names (SAN) entries. This file can be named as anything, but the file extension must be .cnf. Copy all info below into the file. The only fields that should be edited in the file are the fields in the req_distinguished_name section and the fields in the alt_names section (edit bolded sections). See the example below:

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C   = US
ST  = California
L   = Woodland
O   = PinballDivision
OU  = Developer
CN  = pfxm99.vxflex.local
emailAddress = support@pinball.org

[req_ext]
subjectAltName = @alt_names

[alt_names]  
IP.1 = 192.168.150.11
IP.2 = 10.10.10.14
IP.3 = 10.10.10.17
DNS.1 = devpfxm.vxflex.local
DNS.2 = pinballstore.vxflex.local

2. If a customer cannot have an email address in their CSR, then you can remove the emailAddress line from the CNF file.
3. The alt_names section of this file is for the SAN (Subject Alternate Name) entries.
4. The DNS fields in the alt_names section are alternate FQDN names for your PowerFlex Manager host, do not put DNS server IP addresses in these fields. If you do not have alternate names, you do not need to include the alt_names section in the file.
5. Once you are done editing the file, save your changes:

   <ESC> :wq!

6. Create a new server Key (in the example that we are using the filename cert.key, this can be named anything, but must have the. Key file extension):

   openssl genrsa -out cert.key 2048

7. Generate a new CSR with the CNF configuration:

   openssl req -new -key cert.key -out cert.csr -config cert.cnf

   1. TheThe key file is the file created in Step 6.
   2. The .csr file can be named as anything but must have the .csr file extension. In the example we are using cert.csr.
   3. The .cnf file is the file created in step 5.
8. Confirm that your CSR was generated correctly:

   openssl req -text -in cert.csr -noout

9. You must copy your CSR file off of the PowerFlex Manager VM to send to your Certificate Authority (CA) to be signed. Since the files were created as root, if you are using WinSCP you must move the file and make some permissions changes to copy it since the delladmin user does not have access to the /root directory. Use these steps to copy the file to your local machine:
   1. Copy the CSR file to the /home/delladmin directory:

cp /root/newcerts/cert.csr /home/delladmin/

2. Change the permissions to delladmin ownership:

   chown delladmin:delladmin /home/delladmin/cert.csr

3. Use WinSCP to copy the file off of the PFxM appliance using the delladmin account to log in.

10. When you sign your certificate Ensure the export format selected is Base-64 encoded X.509 (.CER).

11. Copy your CER file to the PFxM appliance using WinSCP or similar tool to the /home/delladmin directory.
12. Move the CER file to the newcerts directory and change the permissions:

cp /home/delladmin/cert.cer /root/newcerts/
chown root:root /root/newcerts/cert.cer

13. Backup existing certs in case of any issues:

    mkdir /root/origcerts
    cp /etc/pki/tls/certs/localhost.crt  /root/origcerts/
    cp /etc/pki/tls/private/localhost.key /root/origcerts/

14. Replace existing cert and key files with the newly generated ones:

    cp /root/newcerts/cert.cer /etc/pki/tls/certs/localhost.crt
    cp /root/newcerts/cert.key /etc/pki/tls/private/localhost.key

15. Reboot the PFxM appliance and check that the cert is applied once the PowerFlex VM is back online by logging into the UI and verifying that the cert is showing correctly in the browser.