Print Email PDF

SSL: Generate a Certificate Signing Request (CSR)

IN THIS ARTICLE 

Outlines how to generate a Certificate Signing Request (CSR) to submit to your Certificate Authority (CA) to apply an SSL Certificate to your Qumulo cluster

  • Create a private and public encryption key pair
  • Create a CSR file based on the new insecure key
  • Copy the CSR file off the cluster to submit to your CA

NOTES: Submitting the CSR file to your CA is not covered in this article and all example commands included are for Linux or OS X 

REQUIREMENTS

  • Admin privileges to your Qumulo cluster
  • A computer with SSH installed
  • A computer with SCP installed 

PROCESS

Qumulo clusters come with a self-signed SSL Certificate installed that will enable traffic to be encrypted for your browser sessions but will trigger an untrusted or self-signed certificate error in a modern web browser. To avoid this error, you can generate a CSR file to submit to your Certificate Authority to get a valid SSL Certificate for your cluster.

  • SSH to the first node in your Qumulo cluster as the Qumulo Admin account using your clusters fully qualified domain name or IP address
ssh admin@Cluster-1.AcmeRockets.org
  • Enter your admin password for the cluster when prompted
  • Run the below OpenSSL command to generate the private key.  The name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely. 
openssl genrsa -des3 -out Cluster-Name.key 2048

In the above example, the name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely. 

  • When the above command is run successfully, you will be prompted to enter a Passphrase. Use a complex passphrase of at least 13 characters to meet or exceed security best practices.
Generating RSA private key, 2048 bit long modulus
..........................++++++
.......++++++
e is 65537 (0x10001)

Enter pass phrase for server.key: ImportantPassPhrase

IMPORTANT: Do not lose the passphrase!

  • When prompted, re-enter the passphrase to verify
  • Use the command below to create the insecure key using your cluster's name as outlined
openssl rsa -in Cluster-Name.key -out Cluster-Name.key.insecure
  • Run the following command to generate the CSR file from the Cluster-Name.key file and enter your passphrase when prompted
openssl req -new -key Cluster-Name.key -out Cluster-Name.csr
  • Copy the CSR file off the node to your local desktop by running the command below using the correct variables for your cluster and computer
my_laptop.local $> scp admin@Cluster-1.AcmeRockets.org:~/Cluster-Name.csr ~/Desktop/
  • Enter your Qumulo admin password when prompted to successfully copy the certificate 

RESOLUTION

You should now be able to successfully submit the created CSR file to your company Certificate Authority to get a valid SSL Certificate to install on your Qumulo cluster

ADDITIONAL RESOURCES

SSL: Complete a new certificate request using a Qumulo-generated CSR

SSL: Install a signed certificate

QQ CLI: LDAP and Certificates

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 1 found this helpful

Comments

2 comments

  • It's unclear what to use for "cluster name."? If our cluster name is "filesystem" and our local domain is "example.org", is the cluster name here "filesystem", or "filesystem.example.org"?

    1
  • Hello Gerard,

    Great question and my apologies for the delayed response.  The cluster-name name in the example commands is just for naming the KEY and CSR files. The examples used are to help customers that may have one more Qumulo clusters, and by using the cluster name you ensure that the CSR and KEY files will have unique names.

    You Could use the FQDN if you would like or if you have two Qumulo Clusters that have the same name but different FQDNs.  For example, if you have QC40.NYC.ACME-Rockets.com & QC40.LA.ACME-Rockets.com, you may want to use the FQDN to ensure you use the correct CSR and Key for each cluster when generating your certificate from your Certificate Authority server or service. 

    1

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.