ME4: Generating Custom Security Certificates using Active Directory Certificate Services

Prerequisites

• Install Active Directory Certificate Services for your domain and configure the services

• Record the IPs, Domain Name System (DNS) server IPs, search domain, and system names for each ME4 controller

• OpenSSL

  • Download OpenSSL for Windows 64-bit full version from https://slproweb.com/products/Win32OpenSSL.html

• Verify the DNS server used by ME4, and the AD domain supports round robin DNS

For this article, the following FQDN DNS names for the ME4 are used. Any name works, these are example names. Replace with your domain name and your preferred names. 

1. Common name: me4.mscerttest.com

2. Controller A Name: me4-a.mscerttest.com

3. Controller B Name: me4-b.msccerttest.com

Create DNS A Records

Both AD Certificate Services (CS) and the ME4 must use the same DNS servers. The DNS server must support round robin DNS to use a common FQDN name for both controllers. By default, Microsoft DNS supports round robin DNS. For our example, the DNS server IP is 10.240.225.174.

On your DNS server, create the following A records. For our example, the IP of the A controller is 10.240.225.6 and the IP of the B controller is 10.240.225.7. For your environment, use your domain name and your IPs.

• Create an A record for me4.mscerttest.com with the IP 10.240.225.6

• Create an A record for me4.mscerttest.com with the IP 10.240.225.7

• Create an A record for me4-a.mscertest.com with the IP 10.240.225.6

• Create an A record for me4-b.mscerttest.com with the IP 10.240.225.7

Verify with nslookup that the common FQDN - me4.mscerttest.com - returns both controller’s IP addresses to verify round robin DNS.

C:\Users\Administrator>nslookup
Default Server:  localhost
Address:  127.0.0.1

> me4.mscerttest.com
Server:  localhost
Address:  127.0.0.1

Name: me4.mscerttest.com
Addresses: 10.240.225.7
          10.240.225.6

Validate ME4 IP/DNS Configuration

The system names, domain name, and DNS server used on the ME4 should match those used by the AD CS.

Open up the ME4 UI and select Action -> System Settings. Go to the Network Tab.

1. On the IP pages, verify the IPs of the A and B controller and verify the A records setup in DNS

2. On the DNS page, verify:

• The search domain for each controller matches the AD CS domain

• The hostname for each controller matches the DNS name applied for the individual controller A records

• The DNS server is the same DNS used by ADCS

Create Certificate Request Files for A and B Controller

Next, create two configuration files using a text editor. These files are used to generate the certificate request files for the controllers in OpenSSL. There are two files - one for the A controller and one for the B controller. Examples are attached on the Related tab, based on our environment for both the A and B controller. 

The contents of these files look like this in the text editor.

[ req ]
default_bits        = 2048
distinguished_name  = req_distinguished_name
req_extensions      = req_ext
prompt     = no

[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = New Hampshire
localityName                = Nashua
organizationName         = Dell
organizationalUnitName  = IT
commonName     = me4-a.mscerttest.com

[ req_ext ]
subjectAltName    = @alt_names
[alt_names]
DNS.1   =  me4.mscerttest.com
DNS.2   =  me4-a.mscerttest.com

Modify the following fields in the file in each controller configuration file  - one for ME4-A and one for ME4-B - to match your names and domains.

1. The common name and controller name in both the commonName and alt_names must match your environment for that controller

2. If using something other than 2048 for the key size, alter that information in default_bits

3. The countryName, stateOrProvinceName, localityName, organizationName, and organizationalUnitName must match your company information

When finished, there should be two text files - an ME4-A.cnf and an ME4-B.cnf - which have the required names and configuration for your environment.

Install OpenSSL

The ME4 is an external storage so a certificate request must be generated through OpenSSL to present to ADCS. The first step is to install OpenSSL if not already installed. For this process, a Windows version was installed on the ADCS for convenience. OpenSSL can be on a Linux server or some other Windows server and still be able to generate the certificate request.

The Windows version of OpenSSL can be downloaded @ https://slproweb.com/products/Win32OpenSSL.html

Choose the 64-bit OpenSSL full version and install it. 

Once installed, press the Windows Start button and browse to OpenSSL on the list of programs. There is an icon under that for Win64 OpenSSL Command Prompt. Click the icon, and it opens up a DOS command window with all the appropriate set commands for running OpenSSL. Use the command prompt in the next section.

Use Config Files and OpenSSL to Create Certificate Request Files

Start the Win64 OpenSSL command prompt window. Once it is open, cd to the directory where your ME4-A.cnf and ME4-B.cnf files are. The steps below are to be completed twice - once for the ME4-A file and once for the ME4-B file.

For the A controller certificate request, use the ME4-A.cnf file. This command below generates a private key file and certificate request file for the A controller. 

openssl req -out ME4-A.csr -newkey rsa:2048 -nodes -keyout ME4-A.key -config ME4.cnf

When the command is complete, there is a "ME4-A.csr" (certificate request file for A) and a "ME4-A.key" (private key file for A).

Repeat this for the B controller, substituting ME4-B for ME4-A in the command line. When the steps are complete, there should be four files required to generate our two certificates:

• ME4-A.csr

• ME4-A.key

• ME4-B.csr

• ME4-B.key

Copy those files to the AD CS server to prepare to generate the certificates.

Generate the ME4 Controller Certificates

Copy the ".key" and ".csr" files to a directory on your ADCS server. Open a DOS command prompt on the ADCS server. In the command prompt, "cd" into the directory that has those files. This example uses the standard ADCS template Webserver as a template. If different parameters than are in the Webserver template are required, create your own template and reference it in the command below.

Run the following command to generate the certificate for the A controller.

certreq -submit -attrib "CertificateTemplate:WebServer" ME4-A.csr ME4-A.cer

Because this example uses the ADCS server, there is no requirement to add the option -config DOMAINCA\CA1 to define the ADCS on the command line. A dialog box shows on the screen displaying the ADCS and allows selection when the command is run on the ADCS server.

Once the command is completed, it shows a request ID in the command-line output. An ME4-A.cer file is also created in that directory, which is the required certificate.

C:\Users\Administrator\Downloads\ME4Certs>certreq -submit -attrib "CertificateTemplate:WebServer" ME4-A.csr ME4-A.cer
Active Directory Enrollment Policy
  {0CCDC8D2-7840-40BE-819F-A7EA9535C5D6}
  ldap:
RequestId: 19
RequestId: "19"
Certificate retrieved(Issued) Issued

The Request ID shown is 19 and can be now seen in the MMC for the AD Certification Authority as a valid certificate under Issued Certificates.

To see the parameters of the certificate, right click the request ID and select Open.

This certificate is valid both for the common name - me4.mscerttest.com - and the controller name - me4-a.mscerttest.com because the certificate subject uses alternate names in our configuration file.

Repeat this for the B controller, substituting ME4-B for ME4-A in the command line. This produces a different request ID for this certificate since the A and B certificates are two different certificates.

When this is completed, the directory should have two certificate files. These files and their associated ".key" files are what is uploaded to the ME4 A and B controller. Copy the A and B .cer files generated with ADCS and the A and B ".key" files generated from OpenSSL to a common directory for the next step.

• ME4-A.cer

• ME4-A.key

• ME4-B.cer

• ME4-B.key

Upload Certificates to the Controllers

Transfer the A certificate and A key file to the A controller with FTP, and do the same for the B certificate and key file. Then reboot the management services on both controllers to enable the certificates. 

This upload is described in another Dell support article - PowerVault ME4: Installing And Removing Custom Certificates

There are two differences from that article for this upload.

1. The names of the files for upload in that article end in ".pem"

   1. The file extensions do not have to change ".cer" and ".key" when uploading - they can be used as is.

2. There is an error at the end of the FTP upload because the ME4 does not know how to contact your AD CS certificate authority to verify the certificate. The certificate has been uploaded correctly and is valid so the error can be ignored. The error looks like:

Verifying uploaded certificate and key.
ERROR: cert verify FAILED.
       <C = US, ST = New Hampshire, L = Nashua, O = Dell, OU = IT, CN = me4-a.mscerttest.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error /mnt/ramdisk/apphome/cert-file.pending: verification failed>
Warning: The uploaded SSL certificate did not pass openssl validation. 

Verify the Certificates Have no SSL Errors
The final steps are to:

• Open a browser

• Create an https connection to the common name

• Create an https connection to both the A and B controller FQDN

• Ensure that no SSL errors occur

Note: When the common name is used, it goes to one of the controllers repeatedly by default. Verify that the common name connects to the other controller. This can be done by restarting the management services on the controller the common name is using. Now confirm it connects to the other controller for the common FQDN.