Dell Unity: How to Create a Secure CA Certificate Signing Request on Unity

Summary: Browsers are expecting more information before the browser trusts a CA Signed Certificate. This process creates a secure Certificate Signing Request (CSR) using a configuration file, to be submitted to CA Signing Server, to be imported into Unity. (User correctable) ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

On Unity, create a Unity CSR CA Certificate Signing Request.

Unity 5.5.0
 
Note: If Unity is operating on Unity Operating Environment 5.5, request a Senior Technical Support specialist to apply the internal update to svc_custom_cert prior to importing Unity's CA-signed certificate.

Fix:
Upgrade Unity 5.5.0 to 5.5.1 or later.
In the Unity Release Notes for version 5.5.1.0.5.025 (Page 3) enhancements include validation of custom chained certificates, a fix for the svc_custom_cert import utility to successfully import custom certificates, and resolutions for issues related to the preupgrade health check (PUHC) and UEMCLI failures.
  1. SSH into Unity as the user service
  2. Create a CA Certificate Signing Request (CSR) configuration file.
vi unity-cert.cnf
Copy the text from the below working example that is between the two #=== and paste the text into the unity-cert.cnf file.
Edit the distinguished_name (dn) details to match your Unity's C, ST, L, OU, CN, and emailAddress needs.
Edit the subjectAltName "alt_names" details to match your Unity's Full Qualified Domain Name (FQDN), hostname, and IP Address needs.

Here is the definitions list for distinguished name (dn) details:
C=2 Letter Country Code
ST=State/Region
L=Location/City
O=Organization
OU=Organization Unit
CN=Common Name (This is Unity's Fully Qualified DNS Domain Name (FQDN))
emailAddress=The email address of a Group or a Person that manages Unity and/or its Certificates.

The subjectAlt Name is a list of FQDN, hostname, and IP address that can be used to browse to the Unity.
If there is only one DNS entry, you can use DNS=DNS detail and remove or comment out the DNS.1 and DNS.2 entries.
Some sites have disabled the subjectAltName section from supporting IP addresses. Remove or comment out the IP line as required.

Below is a working example of unity-cert.cnf that you must edit to your requirements. 
#===
[req]
default_bits=2048
prompt=no
default_md=sha256
distinguished_name=dn
req_extensions=v3_req # The extensions to add to a certificate request

[dn]
C=US
ST=Massachusetts
L=Hopkinton
O=Dell Technologies
OU=3CLAB
CN=unityf12.3clab.hop.ma.dell.com
emailAddress=3clabadmin@3clab.hop.ma.dell.com

[v3_req]
basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

[alt_names]
DNS.1=unityf12.3clab.hop.ma.dell.com
DNS.2=unityf12
IP.1=10.20.30.40
#===

Save the unity-cert.cnf file. 

  1. Create a Certificate Signing Request (.csr) and a Private Key (.pk) that is not PassPhrase protected. Unity only accepts a Private Key that is not PassPhrase protected.
openssl req -newkey rsa:2048 -nodes -keyout unity-cert.pk -config unity-cert.cnf -out unity-cert.csr

View and confirm the CSR's distinguished_name and subjectAltName details meet the Unity requirements.

openssl req -verify -noout -text -in unity-cert.csr
  1. Send the unity-cert.csr file to the CA Certificate Signing Server to be signed.

Use either scp or WinSCP (using scp protocol) to transfer the unity-cert.csr file.
The team signs the CSR with the CA's Certificate and create a CA signed Certificate for Unity.
If the returned Certificate arrives as a (.cer), it may be in the DER format and must be in the PEM format with an extension (.crt).

  1. View the Newly created CA Signed Certificate.
openssl x509 -noout -text -in unity-cert.crt

If you are unable to view the newly created certificate, convert the certificate from the DER format (.cer extension) to the PEM format (.crt extension), using the following command:

openssl x509 -inform der -in unity-cert.cer -outform pem -out unity-cert.crt
  1. View the Newly created CA Signed Certificate.
openssl x509 -noout -text -in unity-cert.crt

Verify that the output of the CA-signed certificate is correct, then go to the next step.

Here is an Extra step to validate the chain of authority that the modulus of the Private key (.pk), Certificate Signing Request (.csr) and the CA-Signed Certificate (.crt) all match before import into Unity

openssl rsa  -noout -modulus -in unity-cert.pk  | sha256sum
openssl req  -noout -modulus -in unity-cert.csr | sha256sum
openssl x509 -noout -modulus -in unity-cert.crt | sha256sum
  1. Import the CA Signed Certificate and Unity's Private Key on the Unity.
 
Note:  The Certificate import command, svc_custom_cert needs two files. 
 
  1. CA Signed Certificate with a (.crt) extension
  2. Private Key that is not PassPhrase Protected with a (.pk) extension. 
svc_custom_cert unity-cert

If you get an error message and Unity is running OE 5.5:

ERROR: Could not determine private key strength

Request a Senior Technical Support person to apply the Internal update to svc_custom_cert before importing a CA-Signed Certificate.

Unity's Management services restarts and loads the new Certificate. This takes 2-5 minutes to complete.
 

Caution: If Unity asks for the PassPhrase for the Private Key, Cancel the process by pressing Ctrl-C.
Do not enter the PassPhrase. Unity only accepts a Private Key that is not PassPhrase protected.
Unity does not have a method to store a Private Key PassPhrase. Entering a PassPhrase causes Unity's Management Services to stop running. Go back and redo the above steps if a PassPhrase is asked for.
 
  1. Once the new Certificate is imported, open your web browse and connect to Unity.

Depending on your needs, choose the wanted URL to confirm that the certificate is secure.

https://FQDN/
https://hostname/
https://Unity_IP_Address/
https://[Unity_IPv6_Address]/

 

Note:
For this temporary Unity example:
FQDN is unityf12.3clab.hop.ma.dell.com
Hostname is unityf12 (I had to ensure my workstation's domain search included 3clab.hop.ma.dell.com).
IP Address is 10.20.30.40
There is no IPv6 address specified.

As an example then, to browse to Unity, use: 
https://unityf12.3clab.hop.ma.dell.com/
https://unityf12/ (Ensure your workstation's domain search includes Unity's Domain) 
https://10.20.30.40/
https://[Unity_IPv6_Address]/ (My Unity does not have IPv6 address to test.)

Additional Information

Note: Scripting these steps requires special permission to upload the script and enable service shell on the Unity. This would require engaging Dell Tech Support.

Using the procedure above does not involve scripting or enabling the service shell.

Extra steps to validate the chain of authority that the modulus of the Private key (.pk), Certificate Signing Request (.csr) and the CA-Signed Certificate (.crt) all match./ 
openssl rsa  -noout -modulus -in unity-cert.pk  | sha256sum
openssl req  -noout -modulus -in unity-cert.csr | sha256sum
openssl x509 -noout -modulus -in unity-cert.crt | sha256sum
  • Ensure Unity DNS entries for its FQDN lookups to the IP Address, and its IP Address, the DNS nslookup matches Unity's FQDN.
  • Ensure that the Certificate signing request file has the correct spelling Unity FQDN in the fields.
  • The CN field in the distinguished name (dn) section
  • The DNS.1 field in subjectAltName section (alt_names)

(dn)
Under in the CN

A DNS nslookup of Unity's Full Qualified Domain Name (FQDN) indicates an IP address that shows the FQDNIP address.

Affected Products

Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family
Article Properties
Article Number: 000203303
Article Type: How To
Last Modified: 15 May 2026
Version:  12
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.