Print Email PDF

SSL: Generate a Certificate Signing Request (CSR)


Outlines how to generate a Certificate Signing Request (CSR) to submit to your Certificate Authority (CA) to apply an SSL Certificate to your Qumulo cluster

  • Create a private and public encryption key pair
  • Create a CSR file based on the new insecure key
  • Copy the CSR file off the cluster to submit to your CA

Note: Submitting the CSR file to your CA is not covered in this article and all example commands included are for Linux or OS X 


  • Admin privileges to your Qumulo cluster
  • A computer with SSH installed
  • A computer with SCP installed 


Qumulo clusters come with a self-signed SSL Certificate installed that will enable traffic to be encrypted for your browser sessions but will trigger an untrusted or self-signed certificate error in a modern web browser. To avoid this error, you can generate a CSR file to submit to your Certificate Authority to get a valid SSL Certificate for your cluster.

SSH to the first node in your Qumulo cluster as the Qumulo Admin account by using your cluster's fully qualified domain name or IP address.


Enter your admin password for the cluster when prompted

Run the below OpenSSL command to generate the private key.  The name of the Qumulo Cluster is used to ensure the .key and .csr files are named uniquely. 

openssl genrsa -des3 -out Cluster-Name.key 2048

In the above example, the name of the Qumulo Cluster is used to ensure the .key and .csr files are named uniquely. 

When the above command runs successfully, you will be prompted to enter a Passphrase. Use a complex passphrase of at least 13 characters to meet or exceed security best practices.

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for server.key: ImportantPassPhrase

Important: Don't lose the passphrase.

When prompted, re-enter the passphrase to verifyUse the command below to create the insecure key using your cluster's name as outlined

openssl rsa -in Cluster-Name.key -out Cluster-Name.key.insecure

Run the following command to generate the CSR file from the .key file and enter your passphrase when prompted

openssl req -new -key Cluster-Name.key -out Cluster-Name.csr

Copy the CSR file off the node to your local desktop by running the command below using the correct variables for your cluster and computer

my_laptop.local $> scp \

Enter your Qumulo admin password when prompted to successfully copy the certificate.


SSL: Install a signed certificate

QQ CLI: LDAP and Certificates


Like what you see? Share this article with your network!

Was this article helpful?
0 out of 1 found this helpful



  • It's unclear what to use for "cluster name."? If our cluster name is "filesystem" and our local domain is "", is the cluster name here "filesystem", or ""?

  • Hello Gerard,

    Great question and my apologies for the delayed response.  The cluster-name name in the example commands is just for naming the KEY and CSR files. The examples used are to help customers that may have one more Qumulo clusters, and by using the cluster name you ensure that the CSR and KEY files will have unique names.

    You Could use the FQDN if you would like or if you have two Qumulo Clusters that have the same name but different FQDNs.  For example, if you have &, you may want to use the FQDN to ensure you use the correct CSR and Key for each cluster when generating your certificate from your Certificate Authority server or service. 


Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.