How to replace SSL certificates on Nimble Storage array

How to replace SSL certificates on Nimble Storage array.

As the title suggests, I will walk you through how to replace the SSL certificates on a Nimble Storage array with a certificate signed by a Microsoft certificate authority.

If you look up the instructions in Nimbles documentation you will find the following:

Create the certificate or CSR:

cert gen {array | group | custom | custom-csr} [–subject text] [–dnslist text] [–iplist text] [–num_days text] [–check] [–force]

You must then cut-and-paste the certificate request output into a CA signing request:

Then cut-and-paste the CA certificate and the output from the signing into the command inputs below:

Which seems pretty straight forward but there are a couple of things to watch out for along the way.

Step 1: Generate the CSR

Log into the array via SSH. Run cert –help to check out all the options available to use with the cert command.

You can see some of the variables such as –iplist that are not given in the example on the Nimble Infosight portal.

Now construct your certificate request so it looks something like this. I found the / in the example did not seem to work when creating a request.

Which will generate an output similar to below

Step 2: Request the certificate for the certificate authority

Copy the CSR that has been generated and head over to the certificate authority web page. Typically the webpage for this is https://yourCA.domain.local/certsrv. Choose to request a certificate

Nimble 1

Then an advanced request then the following option.

Nimble 2

Paste the CSR into the window as below and choose an appropriate certificate template. The template I have setup for vSphere 6 VCSA has all the options required for this process already configured. Then hit submit

Nimble 3

Then download the certificate file in base 64 once it has been generated and save it some where in the .CER file format.

Nimble 4

You will also need to grab a copy of your root and intermediate certificates from the certificate authority.Nimble 5

Step 3: Import the certificates to the array.

Before importing the the signed certificate, the root certificate needs to be imported. This is where the cert –import custom-ca command is used. Open the root certificate you just downloaded with notepad or similar and copy the certificate text. Then run the certificate import command from the SSH session

2 things to note above. After you have pasted the certificate you need to input carriage return to drop to the next line,THEN you need to input CTRL+D to submit the certificate.

Next and final step is to import the custom certificate using the cert —import custom command

Same as before, hit carriage return after the END CERTIFICATE line followed by an input of CTRL+D to commit the certificate. Note how the custom certificate chain is now in use for AP and HTTPS access. Verify the certificate works by browsing to the array in your favourite web browser.

That’s it!

Ian

You may also like...

13 Responses

  1. Matt Brown says:

    Thanks. Worth noting that at least in 5.0.2.0, the HTTPS and APIs certs are automatically switched to custom once the final import takes place. I didn’t like that, but maybe some people do.

    Otherwise:

    cert –use custom –https
    cert –use custom –apis

    • Ian says:

      Hi Matt, thanks for the tip. That was not something I was aware of. I am sure other people will find that useful.

      Cheers,

      Ian

  2. Brian Reine says:

    How do you add the Intermediate (issuing CA)? I tried both the custom-ca and custom parameters, but it bombs on both.

    • Ian says:

      Hi Brian,

      The step where you import custom CA, the root and the intermediate need to be pasted in at the same time. So it would look something like —-begin cert—- THE ROOT CERT —-end cert—-
      —-begin cert—- THE INTERMEDIATE CERT —-end cert—-

      If it’s from a Windows CA, you can download the certificate chain, or if they have been distributed round your org, you can export the root and intermediate from a workstation and combine them in a text editor before pasting into the SSH session.

      Hope this helps,

      Ian

      • Brian Reine says:

        Brilliant! Thank you so much! I had tried just about every combination but that. It worked, and I’m off and running!

      • Soteris says:

        I can confirm that as of 20-Aug-2018 and NimbleOS 5.0.4.0-576551, entering the chain certificate from windows CA does not work. If you enter your root certificate along with the intermediary certificate in one file (base64 and copy it in notepad) does work.

  3. Soteris says:

    I would like to ask, if I want to add multiple subject names how would I do that, if it is supported of cource.

    • Ian says:

      Hi,

      Looking at the commands available I would imagine you can use the –dnslist option to specify multiple subject alternate names. So the request would look something like this. “cert –gen custom-csr –subject ‘/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local’ –dnslist SAN1.yourdomain.local,SAN2.yourdomain.local

      Admittedly I have not added SANs to a cert used for a Nimble array, but I can not see why it would not work.

      Cheers,

      Ian

  4. Koteswara Rao Kelam says:

    Thanks for the post and it is very useful. Are there aby REST APIs corresponding to these commands for creating csr and uploading certificate to Nimble? I want to automate this process using REST APIs.
    Regards,
    Koteswar

    • Ian says:

      Hi Koteswar,

      Sorry, I am not sure if there are REST APIs associated with this. There may be something in the admin guides on Infosight to help out?

      Ian

  5. LittleJim says:

    You say “The template I have setup for vSphere 6 VCSA has all the options required for this process already configured.”

    But you don’t tell us what the required options are?

  1. 14th October 2020

    […] array – but it was pretty hard to do as it was mostly CLI based only (see blog examples here and here on how it’s […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.