Dell Unity: How to replace Unisphere self-signed SSL certificates with signed certificates from a local Certificate Authority. (User Correctable)

1. Generate a private key on Unity

Use the following command to generate an RSA private key with a 2048-bit length. The -out option specifies the filename for your private key.

service@unknown spa:~/user# openssl genrsa -out unitycert.pk 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.........................................................................................+++
e is 65537 (0x10001)

2. Request CSR on Unity

Use the private key to create the CSR. The -new option indicates a new request, -key specifies the private key file, and -out defines the CSR filename.

service@unknown spa:~/user# openssl req -new -key unitycert.pk -out unitycert.csr \
-subj '/C=IE/ST=Cork/L=Ovens/O=DellEMC/CN=name.example.com' \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:name.example.com,IP:192.0.2.1"))

"/C=IE/ST=Cork/L=Ovens/O=DellEMC/CN=name.example.com" and "DNS:name.example.com" are examples and must be changed per your environment (further details below). 
The IP option and IP Address for the SAN value is also optional and can be omitted.

The variables in the -subj field stand for:
C   = Country Code
ST = State or Province
L    = City or Locality
O = Organization
CN = Common Name (The FQDN you want to secure in this case the Unity)
SAN = Subject Alternative Name (IP and DNS for the entity you want to secure in this case the Unity)

3. Get the CSR signed by Windows CA server or OpenSSL CA server or another CA server.

Deliver CSR to a CA server using Method 1 or Method 2 below:  
 

• Method 1: Print CSR using 'cat' command, copy, and paste it to your local notepad and save it as: unitycert.csr.

service@unknown spa:~/user# cat unitycert.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMREwDwYDVQQH
DAhTYXJhc290YTEPMA0GA1UECgwGTXlDdXN0MREwDwYDVQQDDAgxMC4wLjAuMTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBxqufN1Vpm0hq5K5UU0ocd
teL2hJr5T1WIOmwQreX4nIdHIxVoWmyepmT7IZJIrQZQc8GuFDRx5qZ/cwlxoup7
<..snip..>
lJc/79vxTfrWWNnSF95C+wer2LB93VLov8MSQqPZfl0LPb4NRU/XaE4l9Vh5DYl4
/FmwHXsifwV5f1TUkvhC8YTwn5frWQjruz+ItZ3z9DetQX0OXYXMcaPX5Qp6aU5m
dsXFHDDiaVbOofJN9z6OPOsWUhn0ZwEpnW8q/+V72MdBIfiwEjoQqZZKh4w1l0/7
uElP8BfS7vH/i87OCqHJM0g/O3IndF+p5wYzmhrDPg/f3belQVQvKs7Z
-----END CERTIFICATE REQUEST-----

• Method 2: Download CSR by SCP.

Use a third-party tool, like FileZilla or WinSCP, to connect to Unity management IP (username: Service). The protocol must be changed to SCP.

4. After the signed certificate is received from the CA server, upload it to Unity and save its name as unitycert.crt (corresponding to unitycert.pk). There will now be two files on Unity: unitycert.crt and unitycert.pk.

5. Use the svc_custom_cert command to install the certificate:     

service@unknown spa:~/user# svc_custom_cert unitycert
Successfully installed custom certificate files.
Restarting web server ...
Sun May 22 05:37:48 2016:7645\0x7f44ba3e27c0:32:Module CIC/1.1.10.6 loaded

Note: Once step 5 is successful, delete unitycert.crt, unitycert.pk, and unitycert.csr from the Unity array. Otherwise, these may cause a security vulnerability issue if you save them in /cores/service/user.

Note: An error can happen when trying to install the new certificate:  

service@SPB spb:~/user# svc_custom_cert unitycert
ERROR: Certificate </tmp/cert.MIbZ4L/unitycert.crt> is invalid

The certificate must be base64 encoded before installing it. It can be converted using the Windows tool "certutil":

Certutil -v -encode unitycert.crt unity64cert.crt Input Length = 1520 Output Length = 2148
CertUtil: -encode command completed successfully.

Or it can be converted on the Unity system with the OpenSSL command:

openssl x509 -in <certificate file> -inform DER -outform PEM -out unitycert.crt

Once converted, install it using the Instructions above. See KB 19728: Dell EMC Unity: How to import an SSL certificate which has been signed by a local Certificate Authority (User Correctable) for more details.

In case the certificate is already in the PEM format but the extension is .cer, you can run:

openssl x509 -inform PEM -in <certificate file> -outform PEM -out unitycert.crt

This works with Wildcard Certificates

Uploading certificate files containing pkcs7 encoded certs or additional content in addition to the Base 64 encoded certificate portion can sometimes cause SP panics and other issues. In this case, the certificate can be trimmed down to only the "Base 64 encoded certificate" portion.