Let's not break the trust - SSL certificates - most things you wanted to know

  • 17 February 2020
  • 0 replies
  • 872 views

Userlevel 5
Badge +5
  • Nutanix Employee
  • 185 replies

Finally, decided to replace self-signed certificates with CA-signed ones? Or ready to renew nearly expired ones but are unable to remember the process? Don’t you worry, we’ve got your back.

To replace the SSL certificate 3 files are required:

  1. Private Key - key generated using RSA 2048 key type and signed using SHA256 hash. We also support EC DSA 256bit and EC DSA 384 bit. However, RSA 2048 is the most commonly used key type

  2. Public Certificate - Issued by a certificate authority (CA). We support x509 certificates in 64base encoded PEM format

  3. CA Certificate/Chain - The certificate of the CA that issued a public certificate above. In case the issuing CA is intermediate CA we will also need the root CA certificate. If there are multiple intermediate CAs we need the certs for all the intermediate CAs along with the root CA

 

Table 1. Recommended Key Configurations

Key Type

Size/Curve

Signature Algorithm

RSA

2048

SHA256-with-RSAEncryption

EC DSA 256

prime256v1

ecdsa-with-sha256

EC DSA 384

secp384r1

ecdsa-with-sha384

EC DSA 521

secp521r1

ecdsa-with-sha512


 

Now onto the process:

  1. Generate the SSL key and CSR (certificate signing request) using the OpenSSL command from a CVM or a Linux box.

  2. Send the CSR, Certificate Signing Request (server.csr) to the CA authority in the organization and obtain a CA-signed public certificate for the website along with the CA's public certificate. Where the CA is intermediate then a root CA certificate will also be required.

  3. Copy over the certificate files above to the same location on the CVM or a Linux box where you generated your server.key and server.csr in step 1.
    Since there is only one field in Prism to upload the CA Certificate /Chain file, Intermediate and root CA must be merged into one file. Make sure that the chain is comprised of certificates in the correct order of validation so the highest authority which is root CA is the last. 

  4. Verify generated certificate with OpenSSL.
  5. Transfer the 3 files that are generated during each of the steps above to a desktop with access to the Prism (using SCP for example) and import the files to Prism. 

After generating or uploading the new certificate, the interface gateway restarts. This, however, does not impact production VMs running on the cluster but will impact connectivity to the Prism GUI.

For detailed instructions with commands and examples please refer to KB-4978 SSL Certificate Upload Troubleshooting - Replacing self-signed certificates with CA generated certificates in Prism.

 

You might also find useful:

KB-5191 Converting a Windows SSL Certificate for Prism

Security Guide: Certificate Management


This topic has been closed for comments