Powerflex 4.x: How to sign and upload a chain of SSL certificates to PowerFlex Manager
Summary: PowerFlex Manager only allows one certificate to be uploaded under the Trusted CA Certificate option. If you have a chain of certificates, use the SSL Trusted Certificate option to upload the remaining certificates. ...
Instructions
The Appliance SSL Certificate is the default certificate for the PowerFlex Manager user interface; however, it can be replaced with a certificate signed by an external Certificate Authority (CA).
Step 1.
Go to Settings> Security> Appliance SSL Certificates> Generate Signing Request.
This generates the CSR string that must be added to a custom certificate.
The CSR can only be generated and uploaded once. In other words, after the CSR has been generated, you can only upload it once (Generate>Sign>Upload every single time).
Step 2.
The file that contains the CSR downloaded in step 1 must be uploaded to the SSL Certificate field under Settings > Security > Appliance SSL Certificates > Upload SSL Certificate. If there is only one CA certificate, upload it using the option Trusted CA Certificate to upload the certificate. If there is a chain of certificates, DO NOT attempt to upload a file with all of them or upload them one by one, since such a field only accepts one certificate. Upload the intermediate certificate that signed the PowerFlex Manager certificate.
Step 3. (If you have a chain of certificates that must be uploaded.)
Uploaded the rest of the certificates in the chain one by one in Settings> Security> SSL Trusted Certificates> Add
To confirm the CSR file was uploaded correctly, run this command. If the tls.key and the tls.crt has the same byte size, the CSR was uploaded correctly.
If the tls.key and the tls.crt has a different byte size from the CSR file that was used before, a new CSR file must be generated to sign and upload the certificate again:
kubectl describe secret -n powerflex default-ingress-tls
Once all certificates are uploaded, you can find them in the keycloack pod in the truststore. The certificates can be reviewed by running the following commands from one of the MVMs.
kubectl exec -n powerflex keycloak-0 --keytoll -list -keystore /opt/keycloak/certs/trustore..jks -storepass $(kubectl -n powerflex get secret keycloak-store-credential -o jsonpath='{.data.storepass}' | base64 --decode ; echo)
kubectl exec -n powerflex keycloak-0 --keytoll -list -keystore /opt/keycloak/certs/trustore..jks -storepass $(kubectl -n powerflex get secret keycloak-store-credential -o jsonpath='{.data.storepass}' | base64 --decode ; echo) -v