OpenSSL Signed Certificate

How-Tos for VMware Solutions

Audience
Public
Source Type
Documentation

An alternative to using a CA to sign a CSR is to use OpenSSL to sign the certificate request.

Creating the Signed Certificate

Note:

The OpenSSL creation steps should never be performed on a FlashArray and should only be taken on an OpenSSL deployment in your environment.

Here are the steps for creating a signed certificate with OpenSSL.

  1. It is a good idea to first create a directory for the certificates. For example:
    
    ## Create a Directory for the Certificates ##
    mkdir ~/VASA-Certs
    
    ## Create a directory for each FlashArray controller ##
    mkdir ~/VASA-Certs/sn1-405-c12-21-ct0
    mkdir ~/VASA-Certs/sn1-405-c12-21-ct1
    
  2. Next, create a v3.ext file for vasa-ct0 and vasa-ct1. The important part here is to make sure the correct Subject Alternate Name (SAN) in the v3.ext file.
    
    ## Using vim (or any text editor) create a v3.ext file with the following ##
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:<IP address of controller>
    
    ## So for example ##
    vim ~/VASA-Certs/sn1-405-c12-21-ct0/v3.ext
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:10.21.88.117
    
    vim ~/VASA-Certs/sn1-405-c12-21-ct1/v3.ext
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    [v3_ca]
    subjectAltName = IP:10.21.88.118
    
  3. A root certificate will need to be created with OpenSSL.
    
    openssl genrsa -passout pass:test -des3 -out rootCA.key 4096
    openssl req -x509 -new -passin pass:test -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/O=Pure Storage/OU=Solutions Engineering/CN=Pure Storage"
    
  4. After the Root Cert is created, generate a private key and generate the CSR for VASA-CT0 and VASA-CT1. Make sure that the Common Name of the CSR matches the IP address from the subject alternate name.
    
    ##Creating Private Keys##
    openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.key 2048
    openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.key 2048
    
    ##Creating CSRs##
    openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct0/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.csr
    openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct1/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.csr
    
    Make sure that the O and OU for the CSR is not Everpure for both entries. The email address and password can both be skipped as well by pressing enter.
  5. Create the signed certificates by signing the CSR with the Root Cert that was created.
    
    cd ~/VASA-Certs/sn1-405-c12-21-ct0/
    openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729
    
    cd ~/VASA-Certs/sn1-405-c12-21-ct1/
    openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729
    
  6. Either copy the RootCA that was created to vCenter (with scp, etc) or create a .pem file the cert. This will be needed to make sure that the trusted root cert is in vCenter in the following step.

Importing the OpenSSL signed Certificate on the FlashArray

  1. Copy down the private key and certificate for both vasa-ct0 and vasa-ct1.
    
    cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.key
    
    cat ~/VASA-Certs/sn1-405-c12-21-ct0/server.crt
    
  2. Import the key and certificate for vasa-ct0.
    Note:

    Once the certificate is imported, it will cause any existing storage providers that are registered with the VASA provider to go offline due to the new certificate being imported. This will cause an authentication failure with the existing storage providers.

    
    purecert setattr --certificate --key vasa-ct0
    
  3. Import the key and certificate for vasa-ct1.
    
    purecert setattr --certificate --key vasa-ct1
    
  4. Check the certificates with purecert list.
    
    purecert list
    

    Now that both certificates are imported, you will want to make sure the CA Root Cert that was created has been imported to the vCenters trusted root certs and then register the storage providers.