How to replace SSL certificates on Nimble Storage array

by Ian · 14th July 2017

How to replace SSL certificates on Nimble Storage array.

As the title suggests, I will walk you through how to replace the SSL certificates on a Nimble Storage array with a certificate signed by a Microsoft certificate authority.

If you look up the instructions in Nimbles documentation you will find the following:

Create the certificate or CSR:

cert —gen {array | group | custom | custom-csr} [–subject text] [–dnslist text] [–iplist text] [–num_days text] [–check] [–force]

<samp class="ph codeph">NimbleOS $ cert --gen custom-csr --subject '/C=US/ST=CA/L=San Jose/O=Nimble Storage/OU=Engineering/CN=AF106656' \ --dnslist group-kp-vma.nimblestorage.com,kp-vma.nimblestorage.com</samp>

1	<samp class="ph codeph">NimbleOS $ cert --gen custom-csr --subject '/C=US/ST=CA/L=San Jose/O=Nimble Storage/OU=Engineering/CN=AF106656' \ --dnslist group-kp-vma.nimblestorage.com,kp-vma.nimblestorage.com</samp>

You must then cut-and-paste the certificate request output into a CA signing request:

<samp class="ph codeph">NimbleOS $ cert --import custom-ca</samp>

1	<samp class="ph codeph">NimbleOS $ cert --import custom-ca</samp>

Then cut-and-paste the CA certificate and the output from the signing into the command inputs below:

<samp class="ph codeph">NimbleOS $ cert --import custom</samp>

1	<samp class="ph codeph">NimbleOS $ cert --import custom</samp>

Which seems pretty straight forward but there are a couple of things to watch out for along the way.

Step 1: Generate the CSR

Log into the array via SSH. Run cert –help to check out all the options available to use with the cert command.

Nimble OS $ cert --help
Usage: cert [options]
Manage SSL/TLS certificates for web browser access and Group Management APIs.

Available options are:
 --help Program help.

--gen {array|group|custom|custom-csr}
 Generate the specified certificate type.
 --subject text Subject or common name for the certificate.
 --dnslist text List of DNS names to include in the Subject
 Alternate Name.
 --iplist text List of IP addresses to include in the
 Subject Alternate Name.
 --num_days text Validity days.
 --check Check the current subject, DNS list, and IP
 list of the current group certificate
 against provided inputs.
 --force Force overwriting of certificate chain if it
 exists.

--import {custom-ca|custom} Import CA or signed certificate for custom
 certificate chain.

--delete {custom} Delete a certificate chain.

--use {array|group|custom} Select which certificate chain to use for
 HTTPS or APIs.
 --https Use the named certificate chain for HTTPS
 access.
 --apis Use the named certificate chain for access
 to APIs.

--list List currently available certificates.

--info {array|group|custom|custom-ca|custom-csr}
 Show properties of the given certificate.

Nimble OS $ cert --help

Usage: cert [options]

Manage SSL/TLS certificates for web browser access and Group Management APIs.

Available options are:

--help Program help.

--gen {array|group|custom|custom-csr}

Generate the specified certificate type.

--subject text Subject or common name for the certificate.

--dnslist text List of DNS names to include in the Subject

Alternate Name.

--iplist text List of IP addresses to include in the

Subject Alternate Name.

--num_days text Validity days.

--check Check the current subject, DNS list, and IP

list of the current group certificate

against provided inputs.

--force Force overwriting of certificate chain if it

exists.

--import {custom-ca|custom} Import CA or signed certificate for custom

certificate chain.

--delete {custom} Delete a certificate chain.

--use {array|group|custom} Select which certificate chain to use for

HTTPS or APIs.

--https Use the named certificate chain for HTTPS

access.

--apis Use the named certificate chain for access

to APIs.

--list List currently available certificates.

--info {array|group|custom|custom-ca|custom-csr}

Show properties of the given certificate.

You can see some of the variables such as –iplist that are not given in the example on the Nimble Infosight portal.

Now construct your certificate request so it looks something like this. I found the / in the example did not seem to work when creating a request.

cert --gen custom-csr --subject '/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local' --iplist 10.0.1.1

1	cert --gen custom-csr --subject '/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local' --iplist 10.0.1.1

Which will generate an output similar to below

subject=/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local

-----BEGIN CERTIFICATE REQUEST-----
MIIDDDCCAfQCAQAwgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIDA5Ob3J0aHVtYmVy
bGFuZDEUMBIGA1UEBwwLQ3JhbWxpbmd0b24xFzAVBgNVBAoMDk5pbWJsZSBTdG9y
YWdlMRQwEgYDVQQLDAtwwdsffsslcmluZzEfMB0GA1UEAwwWc2ZhMTAwLnNpdHNn
cm91cC5sb2NhbDCCASwwdsdsffwIhvcNAQEBBQADggEPADCCAQoCggEBAKntq/wD
sEzgg38OJlaYOmKjZDoi+MJbW714V83kneiInaMKJeYZ8QtEKJQe0pn6bhwvfCU2
sLtFGjhBas7cpxN90TIGG3fn57V72pvYGalkAPaFsvNC8j9H/c1NoPs6Jg6+YQVY
Gp+zBg6eqHjGwqi8wbI9ereffeePB6EWjiAVsRFH/TzcLGRJISejUNAeHjTSvGD0
sN32khW8ys/sMvm3sRYMzadadadK8WKJExP2Y0CmxX8Gm7nLpyTRQ7A7yxaXeg0g
/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYgcdG1G9G9
wjoCg0jTHgEE+K0CAwEAAsdsdsgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIW
U0ZBMTAwLnNpdHNncm91cC5sb2NhbIcECgB4pTANBgkqhkiG9w0BAQsFAAOCAQEA
FZj2gI2kM6wODwtveZxqmAaD0GXi01r8HP5/5fVo9uJR5NuBv8Yq02x6a4kGDeUo
O56NAOEhw836WYwM02mE9h6OTrATsxpXQTOCcxMfR8PYKdbnrQymCUYwD3iZcK9A
evxcJwEBMazLua7JpESv9evNmxdKal7iFsbaHIAO7lGFBBstL+tc5Fl0d7cwBq2g
i7BH+Vgc0XUaqBPhBWHTv4em+yuQxYIfGX+GiHyOA5BBNF9Z5TFbTMJtOFmXNb7M
R4hfXT4tZ3RQR0J35lno2PWOhHtuxRYxpzziywapbRH8+3BWXofoxSqp53GV5uuT
XWpFIgAF1G1h5LILsfqR4g==
-----END CERTIFICATE REQUEST-----

subject=/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local

-----BEGIN CERTIFICATE REQUEST-----

MIIDDDCCAfQCAQAwgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIDA5Ob3J0aHVtYmVy

bGFuZDEUMBIGA1UEBwwLQ3JhbWxpbmd0b24xFzAVBgNVBAoMDk5pbWJsZSBTdG9y

YWdlMRQwEgYDVQQLDAtwwdsffsslcmluZzEfMB0GA1UEAwwWc2ZhMTAwLnNpdHNn

cm91cC5sb2NhbDCCASwwdsdsffwIhvcNAQEBBQADggEPADCCAQoCggEBAKntq/wD

sEzgg38OJlaYOmKjZDoi+MJbW714V83kneiInaMKJeYZ8QtEKJQe0pn6bhwvfCU2

sLtFGjhBas7cpxN90TIGG3fn57V72pvYGalkAPaFsvNC8j9H/c1NoPs6Jg6+YQVY

Gp+zBg6eqHjGwqi8wbI9ereffeePB6EWjiAVsRFH/TzcLGRJISejUNAeHjTSvGD0

sN32khW8ys/sMvm3sRYMzadadadK8WKJExP2Y0CmxX8Gm7nLpyTRQ7A7yxaXeg0g

/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYgcdG1G9G9

wjoCg0jTHgEE+K0CAwEAAsdsdsgGCSqGSIb3DQEJDjErMCkwJwYDVR0RBCAwHoIW

U0ZBMTAwLnNpdHNncm91cC5sb2NhbIcECgB4pTANBgkqhkiG9w0BAQsFAAOCAQEA

FZj2gI2kM6wODwtveZxqmAaD0GXi01r8HP5/5fVo9uJR5NuBv8Yq02x6a4kGDeUo

O56NAOEhw836WYwM02mE9h6OTrATsxpXQTOCcxMfR8PYKdbnrQymCUYwD3iZcK9A

evxcJwEBMazLua7JpESv9evNmxdKal7iFsbaHIAO7lGFBBstL+tc5Fl0d7cwBq2g

i7BH+Vgc0XUaqBPhBWHTv4em+yuQxYIfGX+GiHyOA5BBNF9Z5TFbTMJtOFmXNb7M

R4hfXT4tZ3RQR0J35lno2PWOhHtuxRYxpzziywapbRH8+3BWXofoxSqp53GV5uuT

XWpFIgAF1G1h5LILsfqR4g==

-----END CERTIFICATE REQUEST-----

Step 2: Request the certificate for the certificate authority

Copy the CSR that has been generated and head over to the certificate authority web page. Typically the webpage for this is https://yourCA.domain.local/certsrv. Choose to request a certificate

Then an advanced request then the following option.

Paste the CSR into the window as below and choose an appropriate certificate template. The template I have setup for vSphere 6 VCSA has all the options required for this process already configured. Then hit submit

Then download the certificate file in base 64 once it has been generated and save it some where in the .CER file format.

You will also need to grab a copy of your root and intermediate certificates from the certificate authority.

Step 3: Import the certificates to the array.

Before importing the the signed certificate, the root certificate needs to be imported. This is where the cert –import custom-ca command is used. Open the root certificate you just downloaded with notepad or similar and copy the certificate text. Then run the certificate import command from the SSH session

cert --import custom-ca
Please enter certificate in PEM format followed by ^D:
-----BEGIN CERTIFICATE-----
MIIDjDCCAnSgAwIBAgIQeno//hWMGIxPwYADoqsQvzANBgkqhkiG9w0BAQsFADBO
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRzZ3Jv
dXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE2MTAyNTE1MjgxNFoX
DTM2MTAyNTE1MzgxM1owTjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRkwFwYKCZIm
iZPyLGQBGRYJc2l0c2dyb3VwMRowGAYDVQQDExFTSVRTIEdyb3VwIFNIQTI1NjCC
ASIwDQYJKoZIhvcNAQEBBsdfsfsdrwfwegrCggEBAMcrzjWcLm3Y+0L/wDpANpN8
4tT4IS2tcXA0HLfcNUo0To+K0R69LrjYUJdxUJ1sdTDiBsR9doBdJokKXhThuu5X
38oJ/g2dT5+fn/dddddddddddddddddddddixQ9kvm7GEZY+l+Illpjrw7ja6EwL
l138d6d8FCDsZFdddddddddddddddddddddHf1MXUHC18gSp6gw2CTNoBujh88Sy
ga1qOFKXZfl42ddddddddddddddddddddddXeC+EVWw+lJ942ZGmorCeF32KZvFn
22+yejgDyAey83g9cddddddddddddddddddCDcnVepA8Xm00IJmTY6WJy6pr8LUC
AwEAAaNmMGQwEwYJKddddddddddddddddddDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDdddddddddddddddiYexKLfvOg9D1cyLd5BQfMBAGCSsG
AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCgwb1DaoCeQJJbRnHIW8Z6
wdfCusGjj0DK/tqnmTxxr/I6QkDszpz15+3OYzNm1rReQJKKDUEJWxeR9anIVAy5
z4clFd+yKmyxORKTAJ3v5pGZoKX35WqpzL7emOprGrw87b2VapFjC1xtPlW3Wq2F
gN4OtPzbCumkNff/YLuJYhFQRBsARCegO3FHgcrZqB8AAQPKEeWK6cHRNeMnCouC
UTnlbWKyL6avzIV8mgWNDo+slSedykjdGIyrcrz06YiPxQBbGqMUvpa2/y2nZ6Au
685BFUpAgViez+6A7yZm/YRFfIcR3uowAoShkKi8pzkoqqrHnFEE/7+B+ZUg5kUQ
-----END CERTIFICATE----- &lt;--- CARRIAGE RETURN HERE
PRESS CTRL+D HERE

cert --import custom-ca

Please enter certificate in PEM format followed by ^D:

-----BEGIN CERTIFICATE-----

MIIDjDCCAnSgAwIBAgIQeno//hWMGIxPwYADoqsQvzANBgkqhkiG9w0BAQsFADBO

MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRzZ3Jv

dXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE2MTAyNTE1MjgxNFoX

DTM2MTAyNTE1MzgxM1owTjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRkwFwYKCZIm

iZPyLGQBGRYJc2l0c2dyb3VwMRowGAYDVQQDExFTSVRTIEdyb3VwIFNIQTI1NjCC

ASIwDQYJKoZIhvcNAQEBBsdfsfsdrwfwegrCggEBAMcrzjWcLm3Y+0L/wDpANpN8

4tT4IS2tcXA0HLfcNUo0To+K0R69LrjYUJdxUJ1sdTDiBsR9doBdJokKXhThuu5X

38oJ/g2dT5+fn/dddddddddddddddddddddixQ9kvm7GEZY+l+Illpjrw7ja6EwL

l138d6d8FCDsZFdddddddddddddddddddddHf1MXUHC18gSp6gw2CTNoBujh88Sy

ga1qOFKXZfl42ddddddddddddddddddddddXeC+EVWw+lJ942ZGmorCeF32KZvFn

22+yejgDyAey83g9cddddddddddddddddddCDcnVepA8Xm00IJmTY6WJy6pr8LUC

AwEAAaNmMGQwEwYJKddddddddddddddddddDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud

EwEB/wQFMAMBAf8wHQYDdddddddddddddddiYexKLfvOg9D1cyLd5BQfMBAGCSsG

AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCgwb1DaoCeQJJbRnHIW8Z6

wdfCusGjj0DK/tqnmTxxr/I6QkDszpz15+3OYzNm1rReQJKKDUEJWxeR9anIVAy5

z4clFd+yKmyxORKTAJ3v5pGZoKX35WqpzL7emOprGrw87b2VapFjC1xtPlW3Wq2F

gN4OtPzbCumkNff/YLuJYhFQRBsARCegO3FHgcrZqB8AAQPKEeWK6cHRNeMnCouC

UTnlbWKyL6avzIV8mgWNDo+slSedykjdGIyrcrz06YiPxQBbGqMUvpa2/y2nZ6Au

685BFUpAgViez+6A7yZm/YRFfIcR3uowAoShkKi8pzkoqqrHnFEE/7+B+ZUg5kUQ

-----END CERTIFICATE----- <--- CARRIAGE RETURN HERE

PRESS CTRL+D HERE

2 things to note above. After you have pasted the certificate you need to input carriage return to drop to the next line,THEN you need to input CTRL+D to submit the certificate.

Next and final step is to import the custom certificate using the cert —import custom command

cert --import custom
Please enter certificate in PEM format followed by ^D:
-----BEGIN CERTIFICATE-----
MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF
ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz
Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1
MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0
aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs
MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF
ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz
Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1
MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0
aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs
yxaXeg0g/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYg
cdG1G9G9wjoCg0jTHgEE+K0CAwEAAaOCAyYwggMiMCcGA1UdEQQgMB6CFlNGQTEw
MC5zaXRzZ3JvdXAubG9jYWyHBAoAeKUwHQYDVR0OBBYEFOhSsKWaH/wrbYX9xjOJ
fJcVQb0iMB8GA1UdIwQYMBaAFFLIZuTiYexKLfvOg9D1cyLd5BQfMIIBHAYDVR0f
BIIBEzCCAQ8wggELoIIBB6CCAQOGgcFsZGFwOi8vL0NOPVNJVFMlMjBHcm91cCUy
MFNIQTI1NixDTj1TSVRTQ0EwMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy
dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAs
REM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENs
cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j
BQUHAQEEggEnMIIBIzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPVNJVFMlMjBH
cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j
YWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
dXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9zaXRzY2EwMi5zaXRzZ3JvdXAu
bG9jYWwvQ2VydERhdGFTSVRTQ0EwMi5zaXRzZ3JvdXAubG9jYWxfU0lUUyUyMEdy
b3VwJTIwU0hBMjU2LmNydDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
hjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiEyqt9go/gVcWBPofmriOC09dr
tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg
0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os
zAaRwK+okwSwV6+bjvvAki8+/Bm3dzVRVEKJtcKn7XC2CXW9KMG5hgEJvaHNlUR9
2uD01wjE/9BD1/RA+YPplJKHKa0ZVuDG86X9UnnKxJ6Ce/DkhDc5JtG07EF10vJ0
tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg
0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os
6DjnOw==
-----END CERTIFICATE-----
INFO: custom certificate chain installed for API use
INFO: custom certificate chain installed for HTTPS use

cert --import custom

Please enter certificate in PEM format followed by ^D:

-----BEGIN CERTIFICATE-----

MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF

ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz

Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1

MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0

aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs

MIIGkDCCBXigAwIBAgITZwAAABbhjeZLg8Yb8wAAAAAAFjANBgkqhkiG9w0BAQsF

ADBOMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGTAXBgoJkiaJk/IsZAEZFglzaXRz

Z3JvdXAxGjAYBgNVBAMTEVNJVFMgR3JvdXAgU0hBMjU2MB4XDTE3MDcxMzA4NTU1

MloXDTI3MDcxMTA4NTU1MlowgYwxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5Ob3J0

aHVtYmVybGFuZDEUMBIGA1UEBxMLQ3JhbWxpbmd0b24xFzAVBgNVBAoTDk5pbWJs

yxaXeg0g/bhyhAQX7hg8JFJfXm44/eagspnALzIrSu7axB6EPHGbxiTdNUtAlzYg

cdG1G9G9wjoCg0jTHgEE+K0CAwEAAaOCAyYwggMiMCcGA1UdEQQgMB6CFlNGQTEw

MC5zaXRzZ3JvdXAubG9jYWyHBAoAeKUwHQYDVR0OBBYEFOhSsKWaH/wrbYX9xjOJ

fJcVQb0iMB8GA1UdIwQYMBaAFFLIZuTiYexKLfvOg9D1cyLd5BQfMIIBHAYDVR0f

BIIBEzCCAQ8wggELoIIBB6CCAQOGgcFsZGFwOi8vL0NOPVNJVFMlMjBHcm91cCUy

MFNIQTI1NixDTj1TSVRTQ0EwMixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vy

dmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAs

REM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENs

cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs

Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j

BQUHAQEEggEnMIIBIzCBuAYIKwYBBQUHMAKGgatsZGFwOi8vL0NOPVNJVFMlMjBH

cm91cCUyMFNIQTI1NixDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs

Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zaXRzZ3JvdXAsREM9bG9j

YWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B

dXRob3JpdHkwZgYIKwYBBQUHMAKGWmh0dHA6Ly9zaXRzY2EwMi5zaXRzZ3JvdXAu

bG9jYWwvQ2VydERhdGFTSVRTQ0EwMi5zaXRzZ3JvdXAubG9jYWxfU0lUUyUyMEdy

b3VwJTIwU0hBMjU2LmNydDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB

hjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiEyqt9go/gVcWBPofmriOC09dr

tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg

0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os

zAaRwK+okwSwV6+bjvvAki8+/Bm3dzVRVEKJtcKn7XC2CXW9KMG5hgEJvaHNlUR9

2uD01wjE/9BD1/RA+YPplJKHKa0ZVuDG86X9UnnKxJ6Ce/DkhDc5JtG07EF10vJ0

tX2i42scdw/CGRw9fWcAhdsUvf1C3moLo9Ct5GfWe60/FQLZNNH/jVgxDfstfnxg

0m+sep2prQlJ58j5kNHF/6+r36cmFABjOE3enzyOUM5y8AILOkFqydkz9NSMy7Os

6DjnOw==

-----END CERTIFICATE-----

INFO: custom certificate chain installed for API use

INFO: custom certificate chain installed for HTTPS use

Same as before, hit carriage return after the END CERTIFICATE line followed by an input of CTRL+D to commit the certificate. Note how the custom certificate chain is now in use for AP and HTTPS access. Verify the certificate works by browsing to the array in your favourite web browser.

That’s it!

Ian

Tags: Certificates Nimble Storage SSL

Matt Brown says:

30th January 2018 at 14:56

Thanks. Worth noting that at least in 5.0.2.0, the HTTPS and APIs certs are automatically switched to custom once the final import takes place. I didn’t like that, but maybe some people do.

Otherwise:

cert –use custom –https
cert –use custom –apis

Reply
- Ian says:
  
  30th January 2018 at 14:59
  
  Hi Matt, thanks for the tip. That was not something I was aware of. I am sure other people will find that useful.
  
  Cheers,
  
  Ian
  
  Reply
Brian Reine says:

4th April 2018 at 03:55

How do you add the Intermediate (issuing CA)? I tried both the custom-ca and custom parameters, but it bombs on both.

Reply
- Ian says:
  
  4th April 2018 at 06:14
  
  Hi Brian,
  
  The step where you import custom CA, the root and the intermediate need to be pasted in at the same time. So it would look something like —-begin cert—- THE ROOT CERT —-end cert—-
  —-begin cert—- THE INTERMEDIATE CERT —-end cert—-
  
  If it’s from a Windows CA, you can download the certificate chain, or if they have been distributed round your org, you can export the root and intermediate from a workstation and combine them in a text editor before pasting into the SSH session.
  
  Hope this helps,
  
  Ian
  
  Reply
  - Brian Reine says:
    
    5th April 2018 at 02:27
    
    Brilliant! Thank you so much! I had tried just about every combination but that. It worked, and I’m off and running!
    
    Reply
  - Soteris says:
    
    20th August 2018 at 12:15
    
    I can confirm that as of 20-Aug-2018 and NimbleOS 5.0.4.0-576551, entering the chain certificate from windows CA does not work. If you enter your root certificate along with the intermediary certificate in one file (base64 and copy it in notepad) does work.
    
    Reply
Soteris says:

20th August 2018 at 12:37

I would like to ask, if I want to add multiple subject names how would I do that, if it is supported of cource.

Reply
- Ian says:
  
  21st August 2018 at 12:59
  
  Hi,
  
  Looking at the commands available I would imagine you can use the –dnslist option to specify multiple subject alternate names. So the request would look something like this. “cert –gen custom-csr –subject ‘/C=YourCountryCode/ST=YourState/L=YourLocation/O=Nimble Storage/OU=Engineering/CN=yourarrayname.domainname.local’ –dnslist SAN1.yourdomain.local,SAN2.yourdomain.local”
  
  Admittedly I have not added SANs to a cert used for a Nimble array, but I can not see why it would not work.
  
  Cheers,
  
  Ian
  
  Reply
Koteswara Rao Kelam says:

7th April 2020 at 07:45

Thanks for the post and it is very useful. Are there aby REST APIs corresponding to these commands for creating csr and uploading certificate to Nimble? I want to automate this process using REST APIs.
Regards,
Koteswar

Reply
- Ian says:
  
  22nd April 2020 at 12:49
  
  Hi Koteswar,
  
  Sorry, I am not sure if there are REST APIs associated with this. There may be something in the admin guides on Infosight to help out?
  
  Ian
  
  Reply
LittleJim says:

21st December 2020 at 00:35

You say “The template I have setup for vSphere 6 VCSA has all the options required for this process already configured.”

But you don’t tell us what the required options are?

Reply
- Ian says:
  
  7th January 2021 at 14:16
  
  Details on how to create a VMCA certificate template can be found here https://kb.vmware.com/s/article/2112009#creating_new_template_for_vsphere_6.x_to_use_for_vmca_as_subordinate_ca
  
  Ian
  
  Reply

Enhanced Security & SSL Certificates for HPE Nimble Storage with NimbleOS 5.2 – dyertribe.co.uk

14th October 2020

[…] array – but it was pretty hard to do as it was mostly CLI based only (see blog examples here and here on how it’s […]

How to replace SSL certificates on Nimble Storage array