Dell Unity: How to Create a Secure CA Certificate Signing Request (CSR) on Unity (User correctable)

On Unity, Create a Unity CSR CA Certificate Signing Request.

Unity 5.5

1. SSH into Unity as the user service.

2. Create a CA Certificate Signing Request (CSR) configuration file.

vi unity-cert.cnf
Copy the text from the below working example that is between the two #=== and paste the text into the unity-cert.cnf file.
Edit the distinguished_name "dn" details to match your Unity's C, ST, L, OU, CN, and emailAddress needs.
Edit the subjectAltName "alt_names" details to match your Unity's Full Qualified Domain Name (FQDN), hostname, and IP Address needs.

Here is the definitions list for distinguished name (dn) details:
C=2 Letter Country Code
ST=State/Region
L=Location/City
O=Organization
OU=Organization Unit
CN=Common Name (This is Unity's Fully Qualified DNS Domain Name (FQDN))
emailAddress=The email address of a Group or a Person that manages Unity and/or its Certificates.

The subjectAltName is a list of FQDN, hostname, and IP address that can be used to browse to the Unity.
If there is only one DNS entry, you can use  DNS=DNS detail and remove or comment out the DNS.1 and DNS.2 entries.
Some sites have disabled the subjectAltName section from supporting IP addresses. Remove or comment out the IP line as required.

Below is a working example of unity-cert.cnf that you must edit to your requirements.

#===
[req]
default_bits=2048
prompt=no
default_md=sha256
distinguished_name=dn
req_extensions=v3_req # The extensions to add to a certificate request

[dn]
C=US
ST=Massachusetts
L=Hopkinton
O=Dell Technologies
OU=3CLAB
CN=unityf12.3clab.hop.ma.dell.com
emailAddress=3clabadmin@3clab.hop.ma.dell.com

[v3_req]
basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=unityf12.3clab.hop.ma.dell.com
DNS.2=unityf12
IP.1=10.20.30.40
#===

Save the unity-cert.cnf file. 

3. Create a CSR Certificate Signing Request (.csr) and a Private Key (.pk) that is not PassPhrase protected. Unity only accepts a Private Key that is not PassPhrase protected.

   openssl req -newkey rsa:2048 -nodes -keyout unity-cert.pk -config unity-cert.cnf -out unity-cert.csr

   View and confirm the CSR's distinguished_name and subjectAltName details meet the Unity requirements.

   openssl req -verify -noout -text -in unity-cert.csr

4. Send the unity-cert.csr file to the CA Certificate Signing Server to be signed.
    Use either scp or WinSCP (using scp protocol) to transfer the unity-cert.csr file.
    The team signs the CSR with the CA's Certificate and create a CA signed Certificate for Unity.
     If the returned Certificate arrives as a (.cer), it may be in the "DER" format and must be in the "PEM" format with an extension (.crt).

5. View the Newly created CA Signed Certificate.

   openssl x509 -noout -text -in unity-cert.crt

   If you are unable to view the newly created certificate, convert the certificate from the "DER" format (.cer extension) to the "PEM" format (.crt extension), using the following command:

   openssl x509 -inform der -in unity-cert.cer -outform pem -out unity-cert.crt

6. View the Newly created CA Signed Certificate.

   openssl x509 -noout -text -in unity-cert.crt

   Verify that the output of the CA-signed certificate is correct, then proceed to the next step.

7. Import the CA Signed Certificate and Unity's Private Key on the Unity.
   

         a. CA Signed Certificate with a (.crt) extension.
         b. Private Key that is not PassPhrase Protected with a (.pk) extension. 
 

   svc_custom_cert unity-cert

        If you get an error message and Unity is running OE 5.5
          "ERROR: Could not determine private key strength"
          Request a Senior Technical Support person to apply the Internal update to svc_custom_cert before import a CA-Signed Certificate.

   Unity's Management services will restart and load the new Certificate. This takes 2-5 minutes to complete.
      
   

8. Once the new Certificate is imported, open your web browse and connect to Unity.
    Depending on your needs, choose the wanted URL to confirm that the certificate is secure.

   https://FQDN/
   https://hostname/
   https://Unity_IP_Address/
   https://[Unity_IPv6_Address]/

   
Note: For my temporary Unity's example:
FQDN is unityf12.3clab.hop.ma.dell.com
Hostname is unityf12 (I had to ensure my workstation's domain search included 3clab.hop.ma.dell.com).
IP Address is 10.20.30.40
There is no IPv6 address specified.

As an example then, to browse to my Unity, I can use:

   https://unityf12.3clab.hop.ma.dell.com/
   https://unityf12/ (Ensure your workstation's domain search includes Unity's Domain) 
   https://10.20.30.40/
   https://[Unity_IPv6_Address]/ (Note, My Unity does not have IPv6 address to test.)

Using the procedure above does not involve scripting or enabling the service shell.

Extra steps to validate the chain of authority that the "modulus" of the Private key (.PK), Certificate Signing Request (.CSR) and the CA-Signed Certificate (.CRT) all match.

openssl rsa  -noout -modulus -in unity-cert.pk  | sha256sum
openssl req  -noout -modulus -in unity-cert.csr | sha256sum
openssl x509 -noout -modulus -in unity-cert.crt | sha256sum