Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

ECS: Data and management SSL certificate tool

Summary: The ECS certificate tool can assist you with uploading SSL certificates to the ECS data and management interfaces.

This article applies to   This article does not apply to 

Instructions

Installation
Configuration
Viewing your current certificates
Creating a certificate signing request
Creating a self-signed certificate
Uploading your certificate


Installation

  1. Download latest version of the tool attached on this knowledge article
  2. Upload the tool to /home/admin on one of the ECS nodes.
  3. Change to the /home/admin directory and extract the package.
# cd /home/admin
# tar -zxvf ecs_certificate_tool-1.5.tgz
  1. Change into the certificate tool directory.
# cd ecs_certificate_tool-1.5
  1. Configure root UI credentials for the tool to use.
Command:
# python ecs_certificate_tool.py configure_credentials
Example:
admin@:~/ecs_certificate_tool-release-1.4> python ecs_certificate_tool.py configure_credentials
ecs_certificate_tool v1.4

=======> Configuring Credentials

Please enter the password for the root management user:
Authenticating using configured credentials..PASS

Successfully configured credentials!
  1. Use the certificate tool to generate your Subject Alternative Name (SAN) configuration. You must manually add the fqdn and ip-address of your load balancer if you are using one.
Command:
python ecs_certificate_tool.py generate_san
Example:
generate_san
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

======================================================================
Generating SAN (subject alternative name) config.
======================================================================

----------------------------------------------------------------------
Setting DATA_SUBJECT_ALTERNATIVE_NAME config
----------------------------------------------------------------------
Set DNS_NAMES to :
['layton-ex3000.example.com',
 'ogden-ex3000.example.com',
 'orem-ex3000.example.com',
 'provo-ex3000.example.com',
 'sandy-ex3000.example.com']

Set IP_ADDRESSES to :
['192.0.2.104',
 '192.0.2.105',
 '192.0.2.106',
 '192.0.2.107',
 '192.0.2.108']

----------------------------------------------------------------------
Setting MANAGEMENT_SUBJECT_ALTERNATIVE_NAME config
----------------------------------------------------------------------
Set DNS_NAMES to :
['layton-ex3000.example.com',
 'ogden-ex3000.example.com',
 'orem-ex3000.example.com',
 'provo-ex3000.example.com',
 'sandy-ex3000.example.com']

Set IP_ADDRESSES to :
['192.0.2.104',
 '192.0.2.105',
 '192.0.2.106',
 '192.0.2.107',
 '192.0.2.108']

Wrote changes to: /home/admin/ecs_certificate_tool-1.0/config.ini
DONE
 

Configuration

  • The config.ini file is where you set all the values for your certificate.
  • If you do not want to use a value, just leave it blank like in the example below:
# optional unit name
ORGANIZATIONAL_UNIT_NAME =
  • Here is an example of what the default config.ini looks like:
[GENERAL]
COMMON_NAME = *.ecs.example.com
# Two letter country name
COUNTRY_NAME = US
LOCALITY_NAME = Salt Lake City
STATE_OR_PROVINCE_NAME = Utah
STREET_ADDRESS = 123 Example Street
ORGANIZATION_NAME = Example Inc.
# optional unit name
ORGANIZATIONAL_UNIT_NAME =
# optional email address
EMAIL_ADDRESS = example@example.com

[UI_CREDENTIALS]
USERNAME = root
PASSWORD = ChangeMe

[SELF_SIGNED]
# 1825 days = 5 years
VALID_DAYS = 1825

[DATA_SUBJECT_ALTERNATIVE_NAME]
DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com
IP_ADDRESSES = 192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4

[MANAGEMENT_SUBJECT_ALTERNATIVE_NAME]
DNS_NAMES = node1.ecs.example.com node2.ecs.example.com node3.ecs.example.com
IP_ADDRESSES = 198.51.100.1 198.51.100.2 198.51.100.3 198.51.100.4

[ADVANCED]
# Probably dont use these unless you really know what your doing
SERIAL_NUMBER =
SURNAME =
GIVEN_NAME =
TITLE =
GENERATION_QUALIFIER =
X500_UNIQUE_IDENTIFIER =
DN_QUALIFIER =
PSEUDONYM =
USER_ID =
DOMAIN_COMPONENT =
JURISDICTION_COUNTRY_NAME =
JURISDICTION_LOCALITY_NAME =
BUSINESS_CATEGORY =
POSTAL_ADDRESS =
POSTAL_CODE =
INN =
OGRN =
SNILS =
UNSTRUCTURED_NAME =
 

Viewing your current certificates

  1. Run ecs_certificate_tool view_certs operation.
Command:
# python ecs_certificate_tool.py  view_certs
Example:
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

Authenticating using configured credentials..PASS

----------------------------------------------------------------------
View certificates
----------------------------------------------------------------------

======================================================================
Data Certificate:
======================================================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Validity
            Not Before: Oct 17 18:35:06 2020 GMT
            Not After : Oct 16 18:35:06 2025 GMT
        Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
                    76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
                    3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
                    27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
                    14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
                    f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
                    5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
                    93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
                    df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
                    45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
                    89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
                    28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
                    b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
                    64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
                    49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
                    15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
                    1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
                    89:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                0.
    Signature Algorithm: sha256WithRSAEncryption
         33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
         8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
         ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
         26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
         17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
         4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
         d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
         b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
         94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
         24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
         72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
         4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
         20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
         3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
         66:95:e7:ee


======================================================================
Management Certificate:
======================================================================

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:0f:a3:e2:fa:0a:90:14:86:6c:a3:3a:26:5c:0b:8d:6e:18:7d:eb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Validity
            Not Before: Oct 17 18:35:06 2020 GMT
            Not After : Oct 16 18:35:06 2025 GMT
        Subject: CN=*.ecs.example.com, C=US, L=Salt Lake City, ST=Utah/street=123 Example Street, O=Example Inc./emailAddress=example@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:13:ea:31:bb:13:30:fc:ad:75:1a:84:16:53:
                    76:9d:0d:96:60:69:04:70:ad:00:76:c5:e4:f0:39:
                    3d:e3:9b:2e:2a:06:0b:ae:29:16:22:69:73:1d:2b:
                    27:73:68:7a:42:62:84:37:9b:7e:7f:60:48:aa:80:
                    14:96:07:52:ac:d5:dd:1f:af:59:3b:88:5e:15:43:
                    f1:9e:29:91:0a:6d:19:8e:41:4b:3c:9f:0c:64:16:
                    5c:c6:61:a6:c7:28:a9:9e:14:81:10:7e:4a:4f:25:
                    93:20:d9:5b:fe:b3:ac:56:28:f0:89:2c:e3:97:18:
                    df:1d:e3:1b:6d:c5:08:fb:d6:97:81:82:b1:6b:33:
                    45:1d:de:7a:30:5c:6d:4a:70:96:06:f8:05:48:a7:
                    89:ad:ce:db:99:f2:61:88:92:75:e5:cf:d2:b1:2c:
                    28:60:6f:5e:ba:6c:02:f4:12:90:be:eb:6d:48:ae:
                    b2:3a:6e:76:a6:02:b1:9e:f7:95:2c:65:8a:80:1a:
                    64:52:ec:f5:0c:2b:c8:87:a7:e5:4d:f7:34:60:a5:
                    49:03:30:27:10:8d:ad:4e:92:52:8b:d9:6b:ad:2d:
                    15:60:a5:26:fc:1b:1d:69:9f:5c:a3:0f:d9:cb:b9:
                    1d:68:30:6c:c8:ca:e1:71:4b:88:bd:98:d7:10:ae:
                    89:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:node1.ecs.example.com, DNS:node2.ecs.example.com, DNS:node3.ecs.example.com, IP Address:192.0.2.1, IP Address:192.0.2.2, IP Address:192.0.2.3, IP Address:192.0.2.4
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication
            X509v3 Authority Key Identifier:
                0.
    Signature Algorithm: sha256WithRSAEncryption
         33:85:7e:3b:fd:fd:3a:35:97:17:11:2d:4d:e1:7e:03:35:82:
         8a:47:30:ed:b2:f9:1b:b4:22:a2:60:00:b5:9c:aa:6c:0d:e7:
         ea:c7:0a:e6:05:24:7d:bd:50:ab:23:9b:16:6a:e7:be:e9:21:
         26:61:0e:e5:e1:62:7e:d8:01:3a:3e:19:14:89:c2:ef:62:a0:
         17:5c:80:2b:24:6b:96:73:fa:b0:8f:4d:09:0e:69:4f:72:f0:
         4d:b1:13:8d:90:4e:18:4b:82:be:fd:48:b0:c2:9d:9c:43:d9:
         d9:73:e6:15:88:79:1f:3e:13:ec:c9:6f:5f:2a:08:7c:a7:5d:
         b4:e1:50:0f:3c:49:e3:e4:9f:8f:dd:e0:b5:b5:2d:d8:2d:29:
         94:2d:4b:66:20:36:f0:ae:3a:ae:a4:c5:91:3c:f4:2a:d6:f5:
         24:ec:7b:3a:96:d6:75:91:f9:b3:1c:8a:93:87:1b:d7:f2:f7:
         72:4d:0c:02:b9:2e:ab:f6:76:ca:c5:74:39:e0:a0:54:2b:85:
         4d:dd:e6:c7:fc:d0:e7:bc:3e:9e:98:19:e5:ed:ad:5f:4b:ea:
         20:17:c5:23:eb:09:ad:8e:13:57:75:78:f9:68:bb:18:34:fc:
         3a:26:94:90:5e:ed:a6:09:bb:14:5c:bd:2e:d3:5b:c4:43:08:
         66:95:e7:ee



DONE
 

Please select from the list below on what type of certificate you would like to create:

Creating a certificate signing request
Creating a self-signed certificate


Creating a certificate signing request

Usage:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create certificate signing request for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create certificate signing request for management
                        interface (WEB UI)
Creating a CSR for the data interface:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -d
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------

Creating Certificate Signing Request..DONE
Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.csr
Creating a CSR for the management interface:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_csr -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 198.51.100.1..PASS
Validating IPv4Address: 198.51.100.2..PASS
Validating IPv4Address: 198.51.100.3..PASS
Validating IPv4Address: 198.51.100.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key
----------------------------------------------------------------------
Certificate Signing Request
----------------------------------------------------------------------

Creating Certificate Signing Request..DONE
Wrote certificate signing request to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.csr
 

Creating a self-signed certificate

Usage:
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create self-signed certificate for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create self-signed certificate for management
                        interface (WEB UI)
Creating a self-signed certificate for the data interface:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -d
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 192.0.2.1..PASS
Validating IPv4Address: 192.0.2.2..PASS
Validating IPv4Address: 192.0.2.3..PASS
Validating IPv4Address: 192.0.2.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data_private.key
----------------------------------------------------------------------
Self-signed certificate
----------------------------------------------------------------------

Creating self-signed certificate..DONE
Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-data.crt
admin@provo-ex3000:~/ecs_certificate_tool-1.0>
Creating a self-signed certificate for the management interface:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py create_ssc -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Validating REST API Credentials
----------------------------------------------------------------------

Authenticating using configured credentials..PASS


----------------------------------------------------------------------
Validating GENERAL configuration
----------------------------------------------------------------------

Validating COMMON_NAME = *.ecs.example.com..PASS
Validating COUNTRY_NAME = US..PASS
Validating LOCALITY_NAME = Salt Lake City..PASS
Validating STATE_OR_PROVINCE_NAME = Utah..PASS
Validating STREET_ADDRESS = 123 Example Street..PASS
Validating ORGANIZATION_NAME = Example Inc...PASS
Validating EMAIL_ADDRESS = example@example.com..PASS
----------------------------------------------------------------------
Validating DNS_NAMES configuration
----------------------------------------------------------------------

Validating DNSName: node1.ecs.example.com..PASS
Validating DNSName: node2.ecs.example.com..PASS
Validating DNSName: node3.ecs.example.com..PASS

----------------------------------------------------------------------
Validating IP_ADDRESSES configuration
----------------------------------------------------------------------

Validating IPv4Address: 198.51.100.1..PASS
Validating IPv4Address: 198.51.100.2..PASS
Validating IPv4Address: 198.51.100.3..PASS
Validating IPv4Address: 198.51.100.4..PASS

Validating SELF_SIGNED..PASS

All configurations items validated successfully!

Creating RSA private key..DONE
Wrote private key to /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management_private.key
----------------------------------------------------------------------
Self-signed certificate
----------------------------------------------------------------------

Creating self-signed certificate..DONE
Wrote Certificate to: /home/admin/ecs_certificate_tool-1.0/FNM00181300310-management.crt
 

Uploading your certificate

If you are using a self-signed certificate that this tool generated, the private key and certificate are already in your current directory.

If you have a certificate that is signed by a CA, upload it to the ECS and put it in the certificate tool directory.

Note: Ensure you upload the full certificate chain (root/intermediate) if required for your environment. See #Example_Certificates if needed.


Data Certificate

Command:
# python ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --data
Example:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-data.crt -p FNM00181300310-data_private.key --data     ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: ./FNM00181300310-data.crt..DONE
Reading private key from: FNM00181300310-data_private.key..DONE
Verifying the private key matches the certificate..DONE
Uploading the certificate to ECS..DONE

admin@provo-ex3000:~/ecs_certificate_tool-1.0>

After uploading the certificate, you have two options:
1. Wait 2 hours for dataheadsvc to propagate the new certificate across the cluster.
2. Manually restart dataheadsvc on the node you ran the tool from, but note that this can have a brief impact.

Command to restart dataheadsvc:
# sudo kill -9 `pidof dataheadsvc`
 

Management Certificate

Command:
# python ./ecs_certificate_tool.py upload_certificate -c <path to certificate> -p <path to private key> --management
Example:
admin@provo-ex3000:~/ecs_certificate_tool-1.0> python ./ecs_certificate_tool.py upload_certificate -c ./FNM00181300310-management.crt -p FNM00181300310-management_private.key -m
ecs_certificate_tool v1.0
log_file: /home/admin/ecs_certificate_tool-1.0/certificate_tool.log

----------------------------------------------------------------------
Upload Certificate
----------------------------------------------------------------------

Authenticating using configured credentials..PASS

Reading certificate from: ./FNM00181300310-management.crt..DONE
Reading private key from: FNM00181300310-management_private.key..DONE
Verifying the private key matches the certificate..DONE
Uploading the certificate to ECS..DONE

After uploading the new management certificate, you must perform rolling restarts of objcontrolsvc/nginx across the cluster. This may have a minimal impact on UI access.

1. Generate a cluster wide "MACHINES" file:
# sudo getclusterinfo -a /root/MACHINES.VDC && sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /root/;sudo viprscp -f /root/MACHINES.VDC /root/MACHINES.VDC /home/admin/;sudo viprexec -i -f /home/admin/MACHINES.VDC "pingall; md5sum /root/MACHINES.VDC /home/admin/MACHINES.VDC" 
2. Restart objcontrolsvc across the cluster:
# viprexec -f ~/MACHINES.VDC -i 'pidof objcontrolsvc; kill -9 `pidof objcontrolsvc`; sleep 60; pidof objcontrolsvc'
3. Restart nginx across the cluster:
# viprexec -f ~/MACHINES.VDC -i -c "/etc/init.d/nginx restart;sleep 60;/etc/init.d/nginx status"
 

Example Certificates

full chain (root/intermediate/ecs)

-----BEGIN CERTIFICATE-----
<content of your ECS certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<content of intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<content of root certificate>
-----END CERTIFICATE-----

Additional Information

Release Notes:
12/12/2020     1.0 - Fix outputting when password not configured in config.ini during view_certs operation

02/12/2021     1.1 - Support different hostnames for data/management interfaces #3
                   - Rewrote view_certs so it works if no certs have been uploaded yet. #2
                   - backup original certifiate before uploading new one. #1

04/07/2021     1.2 - nuke certs #10
                   - fix urllib3 warnings
                   - fix logging
                   - output additional info when viewing certs #9
07/06/2021     1.3 - Support 1024/2048/4096 private key sizes #14

09/24/2021     1.4 - #18 - Fix bug in get_issuer
                   - #19 - Remove sudo requirement and force admin user
                   - #23 - Handle Credentials with ?{}|&~![()^"

Actions:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
 
usage: ecs_certificate_tool.py [-h]
                               {view_certs,generate_san,create_csr,create_ssc,upload_certificate}
                               ...
 
positional arguments:
  {view_certs,generate_san,create_csr,create_ssc,upload_certificate}
                        sub-command help
    view_certs          Shows the current certificates on the data and
                        management interfaces
    generate_san        Generates the subject alternative name IP addresses
                        and domain names from fabric and adds them to the ini
                        config file
    create_csr          Create certificate signing request
    create_ssc          Create self-signed certificate
    upload_certificate  Upload certificate to the data interface
 
optional arguments:
  -h, --help            show this help message and exit

Create certificate signing request:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_csr -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_csr [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create certificate signing request for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create certificate signing request for management
                        interface (WEB UI)

Create self-signed certificate:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py create_ssc -h
ecs_certificate_tool v1.3
usage: ecs_certificate_tool.py create_ssc [-h] [-k {1024,2048,4096}] (-d | -m)

optional arguments:
  -h, --help            show this help message and exit
  -k {1024,2048,4096}, --key_size {1024,2048,4096}
                        Private key size for RSA private key generation
                        (default=2048)
  -d, --data            Create self-signed certificate for data interface
                        (ports 9020, 9021, 3218) (S3, CAS, NFS, etc)
  -m, --management      Create self-signed certificate for management
                        interface (WEB UI)

Upload certificate:
admin@provo-ex3000:~/ecs_certificate_tool-0.9> sudo python ./ecs_certificate_tool.py upload_certificate -h
ecs_certificate_tool v0.9
log_file: /home/admin/ecs_certificate_tool-0.9/certificate_tool.log
 
usage: ecs_certificate_tool.py upload_certificate [-h] -c CERTIFICATE -p
                                                  PRIVATE_KEY (-d | -m)
 
optional arguments:
  -h, --help            show this help message and exit
  -c CERTIFICATE, --certificate CERTIFICATE
                        Filepath to the data certificate
  -p PRIVATE_KEY, --private_key PRIVATE_KEY
                        Filepath to private key with no password
  -d, --data            Upload certificate to the data interface
  -m, --management      Upload certificate to the management interface

Certificates should be formatted as follows:
——BEGIN CERTIFICATE——
host certificate
——END CERTIFICATE——
——BEGIN CERTIFICATE——
intermediate certificate
——END CERTIFICATE——
——BEGIN CERTIFICATE——
root certificate
——END CERTIFICATE——

Affected Products

ECS, ECS Appliance, ECS Appliance Gen 1, ECS Appliance Gen 2, ECS Appliance Gen 3, ECS Appliance Hardware Gen1 U-Series, ECS Appliance Hardware Gen1 C-Series, ECS Appliance Hardware Gen2 C-Series, ECS Appliance Hardware Gen2 D-Series , ECS Appliance Hardware Gen2 U-Series ...

Products

ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware Series, ECS Appliance Software with Encryption , ECS Appliance Software without Encryption, ECS SD ...