Data Domain: Managing Host Certificates for HTTP and HTTPS

Résumé: Host certificates allow browsers and applications to verify the identity of a Data Domain system when establishing secure management sessions. HTTPS is enabled by default. The system can use either a self-signed certificate or an imported certificate from a trusted Certificate Authority (CA). This article explains how to check, generate, request, import, and delete certificates for HTTP/HTTPS on Data Domain systems. ...

Cet article concerne Cet article ne concerne pas Cet article n’est associé à aucun produit spécifique. Toutes les versions du produit ne sont pas identifiées dans cet article.

Instructions

Certificates may expire or become invalid. If no certificate is imported, the system uses a self-signed certificate, which browsers or integrated applications may not trust.


  1. Check Existing Certificates.

On the Data Domain (DD-CLI), run the following command to view installed certificates:

adminaccess certificate show

If certificates are expired or nearing expiration:

  • If self-signed, regenerate using DD-CLI
  • If imported, follow the CSR and import steps below.
    1. Generate Self-Signed Certificates.

    To regenerate the HTTPS certificate:

    adminaccess certificate generate self-signed-cert
    

    To regenerate HTTPS and trusted CA certificates:

    adminaccess certificate generate self-signed-cert regenerate-ca
    
    1. Generate a Certificate Signing Request (CSR)

    Use DD System Manager:

    1. Set a passphrase, if not done already:
    system passphrase set
    
    1. Go to Administration > Access > Administrator Access.
    2. Select HTTPS > Configure > Certificate tab > Add.
    3. Click Generate the CSR for this Data Domain system.
    4. Complete the CSR form and download the file from:
    /ddvar/certificates/CertificateSigningRequest.csr
    

    CLI Alternative Example:

    adminaccess certificate cert-signing-request generate key-strength 2048bit country "CN" state "Shanghai" city "Shanghai" org-name "Dell EMC" org-unit "Dell EMC" common-name "ddve1.example.com" subject-alt-name "DNS:ddve1.example.com, DNS:ddve1"
    1. Import Signed Certificate

    Use DD System Manager:

    1. Select Administration > Access > Administrator Access
    2. In the Services area, select HTTPS and click Configure
    3. Select the Certificate tab
    4. Click Add. An Upload dialog appears:
    • For .p12 file:
      • Select Upload certificate as .p12 file, enter password, browse, and upload.
      • Example for .p12 selection:
    Upload certificate as.p12 file
    • For .pem file:
      • Select Upload public key as .pem file and use generated private key, browse, and upload.

    DD CLI alternative: Refer to article Data Domain: How to Generate a Certificate Signing Request and Use Externally Signed Certificates

    1. Delete Existing Certificate.

    Before adding a new certificate, delete the current certificate:

      1. Go to Administration > Access > Administrator Access > HTTPS > Configure > Certificate tab.
      2. Select certificate and click Delete.

     

    1. CSR Validation

    Validate CSR using Windows Command Prompt:

    certutil -dump <CSR file path>
    1. Troubleshooting: Browser Shows "Certificate Untrusted" After CA-Signed Certificate Import

    If the browser displays a "certificate not trusted" or "connection is not secure" warning after importing a CA-signed certificate, the imported PEM or P12 file may be missing intermediate CA certificate(s) in the certificate chain.

    Cause: When the imported file contains only the leaf (server) certificate without the intermediate CA certificate(s), the Data Domain serves an incomplete certificate chain. Some desktop browsers may auto-retrieve missing intermediates, but mobile devices, monitoring systems, and DD-to-DD trust operations will fail.

    Verify the Certificate Chain:

    On a workstation with OpenSSL installed, inspect the PEM file before import:

    openssl crl2pkcs7 -nocrl -certfile <certificate_file.pem> | openssl pkcs7 -print_certs -noout

    This command lists all certificates in the file. A complete chain should include:

    • The leaf (server) certificate (subject CN matching the DD hostname/FQDN)
    • One or more intermediate CA certificates
    • Optionally, the root CA certificate

    If only the leaf certificate is present, the chain is incomplete.

    Resolution:

    1. Obtain the intermediate CA certificate(s) from the enterprise Certificate Authority team.

    2. Concatenate the certificates into a single PEM file in the following order:

      • Leaf certificate (first)
      • Intermediate CA certificate(s) (in chain order)
      • Root CA certificate (last, optional)
    3. Delete the current imported certificate from the Data Domain:

      adminaccess certificate delete imported-host application https
      
    4. Import the reconstructed PEM file containing the full chain using the GUI or CLI procedures in Section 4 above.

    Note: Private and public keys must be 2048 bits . DDOS supports only one host certificate for HTTPS at a time . If using .p12 format, ensure the PKCS#12 file was generated with the full certificate chain included.

    Informations supplémentaires

    • Private and public keys must be 2048 bits.
    • DDOS only supports an active CSR and a signed certificate for HTTPS at a time.

    Reference: Deployment KB: Data Domain: How to use externally signed certificates

    Produits concernés

    Data Domain
    Propriétés de l’article
    Numéro d’article: 000205198
    Type d’article: How To
    Dernière modification: 07 Jul 2026
    Version:  9
    Trouvez des réponses à vos questions auprès d’autres utilisateurs Dell
    Services de support
    Vérifiez si votre appareil est couvert par les services de support.