PowerVault ME5/ME52: Creating and Importing Custom Certificates

Summary: This article covers the entire process of creating custom certificates for ME5 storage.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Setting up AD Certificate Authority certificates on an ME5

Prerequisites

  • Install Active Directory Certificate Services for your domain and configure the services
  • Record the IPs, Domain Name System (DNS) server IPs, search domain, and system names for each ME5 controller

Gather the Controller Information.

The following information is required for creating Certificates:

  • The hostname of each controller
  • The IP address of each controller
  • The DNS Fully Qualified Domain Name (FQDN) for each controller
  • The details below are used in this example:
    • me5rioma.mylab.local AAA.BB.56.10 ME5RIOMA
    • me5riomb.mylab.local AAA.BB.56.11 ME5RIOMB
  • Use the show dns-management-hostname or the UI (Settings > System) to get the common name (CN) hostname of each controller
show dns-management-hostname
  • Verify that the FQDN is filled out
  • If it is not,
    • Configure the DNS search domain as seen below
    • CLI
Image highlighting sections of output in dns-management-hostname to focus on
  • UI
image showing where in GUI to find dns-management-hostname
image showing where in gui to find dns search domain
  • Use the show network-parameters command or the UI (Settings > Network) to get the IP address of each controller:
    • show network-parameters 
Image shows the desired network parameters  

Create DNS entries for Controller A and Controller B.

  • Using your normal domain DNS,
    • Create an A record for each controller with your required domain name
    • In this example, me5-a and me5-b are used in Microsoft DNS
    • The IP address should match the IP address in the previous section
    • The array should be using the same DNS servers the normal servers are
    • For our example environment, the DNS records below were created as shown below
  • Controller A
    • me5rioma.mylab.local
    • me5-a
  • Controller B
    • me5riomb.mylab.local
    • me5-b
  • As seen in AD
Image shows DNS entries as indicated
  • Use show dns-parameters command to verify:
    • The DNS server is set
    • The search domain is set on the controllers
show dns-parameters

Image shows DNS IP addresses
  • Alternatively, use the UI in Settings > Network > DNS to apply the DNS servers and Search Domains

Creating and Installing a Certificate on a Controller

This process is the same for both the A and the B controller but there is a different certificate for each controller.

IMPORTANT: All actions for the A controller must be done on controller A. Do not use FTP or SSH to controller B for these actions. Do not restart the management service on the controller until both the CA certificate and the controller certificate have been installed.

Create certificate-signing-request syntax and parameters:

The content string cannot exceed 1024 characters and can include printable UTF-8 characters except space or semicolon. An example is:
/C=US/ST=CO/O=MyOrganization/CN=(The Host Name not the FQDN) See below image.

If FQDN is used, an error shows that with CN name does not match. These parameters must be specified.

Image showing where to find FQDN name in GUI 

Extension and basicConstraints parameters:

If any clarification is needed for extensions and basicConstraints parameters, the external link is included here corn Requests for Comments (RFC) 5280. A lot of how the CA environment is configured affects the creation of this section of the certificates. 

Image shows the RFC5280 details

Create Certificate Signing Request for Controller A.

  1. PuTTY into controller A
  2. Run the CSR commands:
    1. Substitute the CSR commands parameter that matches your environment
create certificate-signing-request subject <LDAP Parameters> /basicConstraints=CA:TRUE/subjectAltName=DNS:<FQDN>,DNS:<FQDN>,IP:<controllerIP>

Lab example: 
create certificate-signing-request subject /C=US/ST=OK/L=OKC/O=Dell/CN=me5rioma extension /basicConstraints=CA:TRUE/subjectAltName=DNS:me5rioma.mylab.local,DNS:me5-a,IP:AAA.BB.56.10
  1. The CSR command output is what is presented to the CA server
  2. Copy the file as shown below
    1. Verify that there is no extra space.
Image shows the CSR output to be used
  1. Copy the highlighted file to notepad or notepad ++ and save it as me5a.csr
  2. Run the .CSR file to the CA to create the .CER file
    1. The administrator should already know how to do this as this is out of Support's scope.
For this example, in the lab running windows CA certificate
certreq -submit -attrib "CertificateTemplate:WebServer" me5a.csr me5a.cer

 

Image showing example certreq output
  1. Click "OK" at the next window
Image showing OK button to click
  1. As seen below, the new certificate for controller A is created.
Image showing folder with cer files

 Create Certificate Signing Request for Controller B.

  1. PuTTY into controller B
  2. Run the CSR commands:
    1. Substitute the CSR commands parameter that matches your environment
create certificate-signing-request subject <LDAP Parameters> /basicConstraints=CA:TRUE/subjectAltName=DNS:<FQDN>,DNS:<FQDN>,IP:<controllerIP>

Lab example: 
create certificate-signing-request subject /C=US/ST=OK/L=OKC/O=Dell/CN=me5riomb extension /basicConstraints=CA:TRUE/subjectAltName=DNS:me5riomb.mylab.local,DNS:me5-b,IP:AAA.BB.56.11
  1. The CSR command output is what is required to present to the CA server
  2. Copy the file as shown below
    1. Verify that there is no extra space
Image showing relevant section of CSR file
  1. Copy the highlighted file to notepad or notepad ++ and save it as me5b.csr
  2. Run the .CSR file to the CA to create the .CER file
    1. The administrator should already know how to do this as this is out of Support's scope.
In this example, running windows CA certificate
certreq -submit -attrib "CertificateTemplate:WebServer" me5b.csr me5b.cer

 

Image showing correct usage of certreq
  1. Click "OK" at the next window
Image instructing how to click OK
  1. As seen below, the controller B certificate is now created
Image of cer files. Highlights which is relevant

Exporting the AD CA Root Certificate

To export the AD CA root certificate, follow the below steps with the created certificate.

  1. Double-click the certificate that was created for the controllers
    1. In this case, use the me5b.cer file
  2. Click the Certification Path tab
Image showing to click on Certification Path tab
  1. Double-click the OFFLINECAROOT-CA
Image shows the certificate to be used  
  1. The offline root certificate window shows.
  2. Click the details tab
  3. Click the "copy to file"
Image shows the details tab as referenced
  1. Click Next
  2. Click the Base-64 encoded x.509 (CER)
  3. Click Next
  4. Browse where the root certificate should be saved
    1. Better to have it in the same directory as the controller certificates
    2. Easier to be in one directory when it is time to upload the certificates using FTP
    3. Click Finish
  5. A prompt with "Export Successful" appears
  6. Click "OK"
  7.  Close the OFFLINECAROOT-CA certificate
Example below
Image shows steps 6 through 11 dialog boxes
  1. Go back to step 1 and choose the intermediate root certificate (Mylab-MYLABISSUINGSUB-CA) to export that certificate
  2. As seen below, both the root and the intermediate root certificate were extracted
Image showing extracted files

Installing the Certificate on controllers.

Installing the certificates on controller A and controller B

  1. Ensure the FTP service is running on the storage
  2. Log in to each controller individually using FTP with a user who has FTP permissions enabled
  3. On the Windows PowerShell, change the directory to the folder where all the certificates are located.
  4. The sequence to upload the certificate to controllers are as follows:
    1. Upload the root certificate first (OfflineRootCa.cer)
    2. Upload the root intermediate certificate second (mylab-MYLABISSUINGSUB-CA.cer)
    3. Upload the controller certificate last (me5a.cer)
  5. If there is a three-tier Public Key Infrastructure (PKI) root certificate server:
    1. The topmost root certificate of the tier uploads first
    2. Then secondary root certificate
    3. Then the intermediate root certificate
    4. Then the controller certificate
  6. For controller A on this instance:
    1. Go to the directory where the certificates are located.
    2. FTP to controller A
    3. Logon with a user that has FTP permissions
    4. Type bin
    5. Type the following: Put offlineRootCA.cer cert-file:trust
put offlineRootCA.cer cert-file:trust

 

Image showing relevant parts of FTP output
  1. Type the following:
put mylab-MYLABISSUINGSUB0CA.cer cert-file:trust
image of cer file ftp
  1. Type the following:
put me5a.cer cert-file:usr

 

Image of putting the usr file
  1. Notice the output requests to start the MC process to activate the certificate. DO NOT DO THIS YET. Install the certificates on the controller B first.
  1. Go back to step 1 for controller B certificate installation
  2. Use FTP to connect to the IP address of the B controller first
  3. Once both controller’s certificates are uploaded:
    1. SSH to any controller and type show certificates to see the certificates installed:
show certificates

 

image highlighting the relevant portion of show certificates output
  1. Notice the asterisks on the certificates means that the certificates are activated
  1. The last step is to restart the Management Control process of both controllers
  2. On the SSH console, Type the below command to fully restart the management console:
restart mc both full
  1. After the management service comes back up, open a web browser to the FQDN of Controllers
  2. Check access to the controllers using https using the input on subjecAltname of the Certificate-Signing-Request
    1. me5rioma.mylab.local

The process is complete. 

Troubleshooting

The default certificates can be regenerated using CLI commands if issues arise during this process.

  • The following steps are found in the CLI guide for storage
  • The CLI Guide shows commands that apply to the latest firmware. The means that some commands used previously may now be missing. The following steps cover references to the latest commands in the latest firmware and older commands that no longer show in the CLI Guide on the Support Site.

Regenerating the Default Factory Certificates:

These steps require the controllers to be running the below firmware:

  • ME50xx = ME5.1.2.2.1 or later
  • ME52xx = ME5.2.0.1.1 or later

 

  1. Log in to one of the controllers with an SSH or serial cable
  2. Check the current certificates with show certificates
Example
# show certificates
Certificate Name                 Certificate Type     Controller WEB   Valid From                  Valid Till
  Issued To                                                        Issued By                                                        State
  Certificate Status          Default Services                 Encryption Type
---------------------------------------------------------------------------------------------------------------------------------------------------------
gen_cert_a                       Device-Cert          A          x     Dec 11 16:21:10 2025 GMT    Dec  9 16:21:10 2035 GMT
  me5rioma                                                         me5rioma                                                         Available
  System-generated            WEB                              RSA
gen_cert_b                       Device-Cert          B          x     Apr 22 14:58:17 2023 GMT    Apr 19 14:58:17 2033 GMT
  me5riomb                                                         me5riomb                                                         Available
  System-generated            WEB                              RSA
---------------------------------------------------------------------------------------------------------------------------------------------------------
Success: Command completed successfully. (2026-03-18 15:50:13)
  1. Run the CLI command to regenerate the needed certificate or both simultaneously
    1. regenerate certificate a|b|both
Example:
# regenerate certificate both
Info: Removed certificate gen_cert_a.
Info: Removed certificate gen_cert_b.
Success: Command completed successfully. - To generate the certificate and have the change take effect, restart both MCs by entering "restart mc both full".  (2026-03-18 15:57:45)
  1. Restart management as directed with restart mc both full
Example
# restart mc both full
During the restart process you will briefly lose communication with the specified Management Controller(s).

Do you want to continue? (y/n) y

Info: Restarting the local MC (A)...
Success: Command completed successfully. - Both MCs were restarted. (2026-03-18 15:59:41)
# Killed
  1. Confirm that changes took effect with show certificates
Example
# show certificates 
Certificate Name                 Certificate Type     Controller WEB   Valid From                  Valid Till                  
  Issued To                                                        Issued By                                                        State                
  Certificate Status          Default Services                 Encryption Type      
---------------------------------------------------------------------------------------------------------------------------------------------------------
gen_cert_a                       Device-Cert          A          x     Mar 18 16:01:13 2026 GMT    Mar 15 16:01:13 2036 GMT    
  me5rioma                                                         me5rioma                                                         Available            
  System-generated            WEB                              RSA                  
gen_cert_b                       Device-Cert          B          x     Mar 18 16:01:12 2026 GMT    Mar 15 16:01:12 2036 GMT    
  me5riomb                                                         me5riomb                                                         Available            
  System-generated            WEB                              RSA                  
---------------------------------------------------------------------------------------------------------------------------------------------------------
Success: Command completed successfully. (2026-03-18 16:11:54)

 

Older firmware used the command create certificate unique

Affected Products

PowerVault ME5012, PowerVault ME5024, PowerVault ME5084

Products

PowerVault ME5212, PowerVault ME5224, PowerVault ME5284
Article Properties
Article Number: 000213369
Article Type: How To
Last Modified: 10 Apr 2026
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.