How to replace SSL certificates on Nimble Storage array


How to replace SSL certificates on Nimble Storage array.

As the title suggests, I will walk you through how to replace the SSL certificates on a Nimble Storage array with a certificate signed by a Microsoft certificate authority.

If you look up the instructions in Nimbles documentation you will find the following:

Create the certificate or CSR:

cert gen {array | group | custom | custom-csr} [–subject text] [–dnslist text] [–iplist text] [–num_days text] [–check] [–force]
NimbleOS $ cert --gen custom-csr --subject '/C=US/ST=CA/L=San Jose/O=Nimble Storage/OU=Engineering/CN=AF106656' \ --dnslist group-kp-vma.nimblestorage.com,kp-vma.nimblestorage.com

You must then cut-and-paste the certificate request output into a CA signing request:

NimbleOS $ cert --import custom-ca

Then cut-and-paste the CA certificate and the output from the signing into the command inputs below:

NimbleOS $ cert --import custom

Which seems pretty straight forward but there are a couple of things to watch out for along the way.

Step 1: Generate the CSR

Log into the array via SSH. Run cert –help to check out all the options available to use with the cert command.

Nimble OS $ cert --help
Usage: cert [options]
Manage SSL/TLS certificates for web browser access and Group Management APIs.

Available options are:
 --help Program help.

--gen {array|group|custom|custom-csr}
 Generate the specified certificate type.
 --subject text Subject or common name for the certificate.
 --dnslist text List of DNS names to include in the Subject
 Alternate Name.
 --iplist text List of IP addresses to include in the
 Subject Alternate Name.
 --num_days text Validity days.
 --check Check the current subject, DNS list, and IP
 list of the current group certificate
 against provided inputs.
 --force Force overwriting of certificate chain if it
 exists.

--import {custom-ca|custom} Import CA or signed certificate for custom
 certificate chain.

--delete {custom} Delete a certificate chain.

--use {array|group|custom} Select which certificate chain to use for
 HTTPS or APIs.
 --https Use the named certificate chain for HTTPS
 access.
 --apis Use the named certificate chain for access
 to APIs.

--list List currently available certificates.

--info {array|group|custom|custom-ca|custom-csr}
 Show properties of the given certificate.

You can see some of the variables such as –iplist that are not given in the example on the Nimble Infosight portal.

Now construct your certificate request so it looks something like this. I found the / in the example did not seem to work when creating a request.

cert --gen custom-csr --subject '/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local' --iplist 10.0.1.1

Which will generate an output similar to below

subject=/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local

-----BEGIN CERTIFICATE REQUEST-----
MIIDDDCCAfQCAQAwgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIDA5Ob3J0aHVtYmVy
bGFuZDEUMBIGA1UEBwwLQ3JhbWxpbmd0b24xFzAVBgNVBAoMDk5pbWJsZSBTdG9y
YWdlMRQwEgYDVQQLDAtwwdsffsslcmluZzEfMB0GA1UEAwwWc2ZhMTAwLnNpdHNn
cm91cC5sb2NhbDCCASwwdsdsffwIhvcNAQEBBQADggEPADCCAQoCggEBAKntq/wD
sEzgg38OJlaYOmKjZDoi+MJbW714V83kneiInaMKJeYZ8QtEKJQe0pn6bhwvfCU2
sLtFGjhBas7cpxN90TIGG3fn57V72pvYGalkAPaFsvNC8j9H/c1NoPs6Jg6+YQVY
Gp+zBg6eqHjGwqi8wbI9ereffeePB6EWjiAVsRFH/TzcLGRJISejUNAeHjTSvGD0
sN32khW8ys/sMvm3sRYMzadadadK8WKJExP2Y0CmxX8Gm7nLpyTRQ7A7yxaXeg0g
/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYgcdG1G9G9
wjoCg0jTHgEE+K0CAwEAAsdsdsgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIW
U0ZBMTAwLnNpdHNncm91cC5sb2NhbIcECgB4pTANBgkqhkiG9w0BAQsFAAOCAQEA
FZj2gI2kM6wODwtveZxqmAaD0GXi01r8HP5/5fVo9uJR5NuBv8Yq02x6a4kGDeUo
O56NAOEhw836WYwM02mE9h6OTrATsxpXQTOCcxMfR8PYKdbnrQymCUYwD3iZcK9A
evxcJwEBMazLua7JpESv9evNmxdKal7iFsbaHIAO7lGFBBstL+tc5Fl0d7cwBq2g
i7BH+Vgc0XUaqBPhBWHTv4em+yuQxYIfGX+GiHyOA5BBNF9Z5TFbTMJtOFmXNb7M
R4hfXT4tZ3RQR0J35lno2PWOhHtuxRYxpzziywapbRH8+3BWXofoxSqp53GV5uuT
XWpFIgAF1G1h5LILsfqR4g==
-----END CERTIFICATE REQUEST-----

Step 2: Request the certificate for the certificate authority

Copy the CSR that has been generated and head over to the certificate authority web page. Typically the webpage for this is https://yourCA.domain.local/certsrv. Choose to request a certificate

Nimble 1

Then an advanced request then the following option.

Nimble 2

Paste the CSR into the window as below and choose an appropriate certificate template. The template I have setup for vSphere 6 VCSA has all the options required for this process already configured. Then hit submit

Nimble 3

Then download the certificate file in base 64 once it has been generated and save it some where in the .CER file format.

Nimble 4

You will also need to grab a copy of your root and intermediate certificates from the certificate authority.Nimble 5

Step 3: Import the certificates to the array.

Before importing the the signed certificate, the root certificate needs to be imported. This is where the cert –import custom-ca command is used. Open the root certificate you just downloaded with notepad or similar and copy the certificate text. Then run the certificate import command from the SSH session

cert --import custom-ca
Please enter certificate in PEM format followed by ^D:
-----BEGIN CERTIFICATE-----
MIIDjDCCAnSgAwIBAgIQeno//hWMGIxPwYADoqsQvzANBgkqhkiG9w0BAQsFADBO
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRzZ3Jv
dXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE2MTAyNTE1MjgxNFoX
DTM2MTAyNTE1MzgxM1owTjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRkwFwYKCZIm
iZPyLGQBGRYJc2l0c2dyb3VwMRowGAYDVQQDExFTSVRTIEdyb3VwIFNIQTI1NjCC
ASIwDQYJKoZIhvcNAQEBBsdfsfsdrwfwegrCggEBAMcrzjWcLm3Y+0L/wDpANpN8
4tT4IS2tcXA0HLfcNUo0To+K0R69LrjYUJdxUJ1sdTDiBsR9doBdJokKXhThuu5X
38oJ/g2dT5+fn/dddddddddddddddddddddixQ9kvm7GEZY+l+Illpjrw7ja6EwL
l138d6d8FCDsZFdddddddddddddddddddddHf1MXUHC18gSp6gw2CTNoBujh88Sy
ga1qOFKXZfl42ddddddddddddddddddddddXeC+EVWw+lJ942ZGmorCeF32KZvFn
22+yejgDyAey83g9cddddddddddddddddddCDcnVepA8Xm00IJmTY6WJy6pr8LUC
AwEAAaNmMGQwEwYJKddddddddddddddddddDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDdddddddddddddddiYexKLfvOg9D1cyLd5BQfMBAGCSsG
AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCgwb1DaoCeQJJbRnHIW8Z6
wdfCusGjj0DK/tqnmTxxr/I6QkDszpz15+3OYzNm1rReQJKKDUEJWxeR9anIVAy5
z4clFd+yKmyxORKTAJ3v5pGZoKX35WqpzL7emOprGrw87b2VapFjC1xtPlW3Wq2F
gN4OtPzbCumkNff/YLuJYhFQRBsARCegO3FHgcrZqB8AAQPKEeWK6cHRNeMnCouC
UTnlbWKyL6avzIV8mgWNDo+slSedykjdGIyrcrz06YiPxQBbGqMUvpa2/y2nZ6Au
685BFUpAgViez+6A7yZm/YRFfIcR3uowAoShkKi8pzkoqqrHnFEE/7+B+ZUg5kUQ
-----END CERTIFICATE----- <--- CARRIAGE RETURN HERE
PRESS CTRL+D HERE

2 things to note above. After you have pasted the certificate you need to input carriage return to drop to the next line,THEN you need to input CTRL+D to submit the certificate.

Next and final step is to import the custom certificate using the cert —import custom command

cert --import custom
Please enter certificate in PEM format followed by ^D:
-----BEGIN CERTIFICATE-----
MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF
ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz
Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1
MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0
aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs
MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF
ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz
Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1
MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0
aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs
yxaXeg0g/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYg
cdG1G9G9wjoCg0jTHgEE+K0CAwEAAaOCAyYwggMiMCcGA1UdEQQgMB6CFlNGQTEw
MC5zaXRzZ3JvdXAubG9jYWyHBAoAeKUwHQYDVR0OBBYEFOhSsKWaH/wrbYX9xjOJ
fJcVQb0iMB8GA1UdIwQYMBaAFFLIZuTiYexKLfvOg9D1cyLd5BQfMIIBHAYDVR0f
BIIBEzCCAQ8wggELoIIBB6CCAQOGgcFsZGFwOi8vL0NOPVNJVFMlMjBHcm91cCUy
MFNIQTI1NixDTj1TSVRTQ0EwMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy
dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAs
REM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENs
cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j
BQUHAQEEggEnMIIBIzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPVNJVFMlMjBH
cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j
YWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
dXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9zaXRzY2EwMi5zaXRzZ3JvdXAu
bG9jYWwvQ2VydERhdGFTSVRTQ0EwMi5zaXRzZ3JvdXAubG9jYWxfU0lUUyUyMEdy
b3VwJTIwU0hBMjU2LmNydDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
hjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiEyqt9go/gVcWBPofmriOC09dr
tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg
0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os
zAaRwK+okwSwV6+bjvvAki8+/Bm3dzVRVEKJtcKn7XC2CXW9KMG5hgEJvaHNlUR9
2uD01wjE/9BD1/RA+YPplJKHKa0ZVuDG86X9UnnKxJ6Ce/DkhDc5JtG07EF10vJ0
tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg
0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os
6DjnOw==
-----END CERTIFICATE-----
INFO: custom certificate chain installed for API use
INFO: custom certificate chain installed for HTTPS use

Same as before, hit carriage return after the END CERTIFICATE line followed by an input of CTRL+D to commit the certificate. Note how the custom certificate chain is now in use for AP and HTTPS access. Verify the certificate works by browsing to the array in your favourite web browser.

That’s it!

Ian

Leave a comment

Your email address will not be published. Required fields are marked *