Data Domain: Generating CSR outside of the DD

In most cases you would want to use this KB for generating the CSR and getting certs imported:

Data Domain - Managing host certificates for HTTP and HTTPS

In rarer cases, this KB is used when you can't generate the CSR on the DD itself.

Importing a CA signed certificate allows for HTTPS access to Data Domain System Manager without having to bypass the browser checks for certificates not signed by a trusted third party. Once the first SSL connection to the DD GUI is established, traffic is equally protected from eavesdropping using either an externally signed or a self signed certificate, company may require for all hosts with SSL access to have certificates signed by either the internal CA or an external CA, for trust.

For creating this externally signed certificate, there are various approaches. The one we recommend with DD OS 6.2.0.35 and later, is to avail of the DD CLI command "adminaccess certificate cert-signing-request generate" to create a Certificate Signing Request (CSR), which is to be submitted to the CA of choice for signing. The signed certificate is then imported in the DD for HTTPS. All the details are seen in the KB article Data Domain: How to Generate a Certificate Signing Request and Use Externally Signed Certificates

The other approach would be is to use a separate host in the network with a recent set of OpenSSL libraries and binaries installed to generate the CSR to be signed. Once the signed certificate is obtained, bit the signed certificate and the certificate's associated private key are and manually transfer to and import into the DD. This process is this:    

1. Log in to the Linux, UNIX, or other server with OpenSSL installed, and first generate a public/private key pair. The DD generates 2048 bit keys by default, 1024 bit keys are discouraged, and 4096 bit keys are maybe a bit too much:    

# openssl genrsa -out hostkey.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
...+++
e is 65537 (0x10001)

2. Generate a Certificate Signing Request (CSR) by using the private key produced in the first step, and provide details in the CSR to be signed, such as common name, email address, country and city, etc.

# openssl req -new -sha256 -key hostkey.pem -out host_csr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc.
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note than in most OpenSSL installations, the "subjectAltName" extension, which is a mandatory requirement as per RFC 3280, does not get added to the CSR or asked for. Some private and public CAs may refuse to process the CSR due to the lack of this extension. In the case of a DD certificate used for the GUI, the "subjectAltName" must be the FQDN for the DD when being accessed from the browser.
 

To specify a "subjetAltName" when creating the CSR, if using OpenSSL 1.1.1, this can be done from the "OpenSSL" command line itself. If not, this incurs changing the /etc/ssl/openssl.cnf, which is beyond the scope of this document. If using OpenSSL 1.1.1 or later:    

# openssl version
OpenSSL 1.1.1  11 Sep 2018
# openssl req -new -sha256 -key hostkey.pem -out host_csr.csr -addext "subjectAltName = DNS:www.example.com"
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc.
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:webmaster@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Get the CSR file "host_csr.csr" and upload to the corresponding CA for signing. If the CA is internal, give it to the CA administrator or sign it through the normal process (who would need to use a command line such as the one below):   

# openssl x509 -req -in host_csr.csr -CA CA/cacert.pem -CAkey CA/cakey.pem -out host_cert.pem -CAcreateserial
Signature ok
subject=/C=CH/ST=California/L=San Francisco/O=Example Inc./OU=IT Department/CN=www.example.com/emailAddress=webmaster@example.com
Getting CA Private Key

# openssl x509 -in host_cert.pem -text -noout | grep -A1 "Subject Alternative Name"
            X509v3 Subject Alternative Name:
                DNS:www.example.com

4.  In any case, the outcome will typically be a .pem or .cer encoded certificate file ("host_cert.pem" in the example). For the certificate to be imported in the DD, it must be bundled in a PKCS#12 format alongside the (private) key generated on the first step. From the same host where the first step was run:    

# openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out host.p12 -inkey hostkey.pem -in host_cert.pem

Enter Export Password:
Verifying - Enter Export Password:

It is critical to set a password for the PKCS#12 file, otherwise the certificate import will fail on the Data Domain. The password will not be prompted for when using the Data Domain normally after the certification has been installed. The '-keypbe PBE-SHA1-3DES' and '-certpbe PBE-SHA1-3DES' arguments are to ensure the supported algorithm of "PBE-SHA1-3DES" is used when modifying the CA. This will avoid the end user getting an error when trying to import their signed cert.

5. Copy the resulting "host.p12" certificate file to the "/ddr/var/certificates/" directory on Data Domain (for example, using SCP to the DD).

6. Before importing the externally generated and signed certificate to Data Domain, confirm the Data Domain does not have an existing CSR. Data Domain will try to match the imported certificate to any CSR on the system, and if one exists, it will not match and will refuse to load the imported certificate with the following error message:    

Imported host certificate does not match the generated CSR

Verify if there is an existing CSR on the system:    

# adminaccess certificate cert-signing-request show

If there is an existing CSR, proceed to delete it before going any further, or else the certificate import will fail:    

# adminaccess certificate cert-signing-request delete

7. Import the new certificate from the CLI. Provide the password used to create the PKCS#12 in the previous step, and use "application https" to use the imported certificate for the DD System Manager or DDMC GUI:    

# adminaccess certificate import host application https file host.p12
Enter password:
**   Importing the certificate will restart the http/https services and currently active http/https user sessions will be terminated.
        Do you want to import this certificate? (yes|no) [yes]: yes
Host certificate imported for applications(s) : "https".

Note: "adminaccess certificate show" should now list an imported-host certificate for https. The default self-signed cert for https will be noted as Not in use.