IN THIS ARTICLE
Outlines how to generate a Certificate Signing Request (CSR) to submit to your Certificate Authority (CA) to apply an SSL Certificate to your Qumulo cluster
- Create a private and public encryption key pair
- Create a CSR file based on the new insecure key
- Copy the CSR file off the cluster to submit to your CA
NOTES: Submitting the CSR file to your CA is not covered in this article and all example commands included are for Linux or OS X
REQUIREMENTS
- Admin privileges to your Qumulo cluster
- A computer with SSH installed
- A computer with SCP installed
PROCESS
Qumulo clusters come with a self-signed SSL Certificate installed that will enable traffic to be encrypted for your browser sessions but will trigger an untrusted or self-signed certificate error in a modern web browser. To avoid this error, you can generate a CSR file to submit to your Certificate Authority to get a valid SSL Certificate for your cluster.
- SSH to the first node in your Qumulo cluster as the Qumulo Admin account using your clusters fully qualified domain name or IP address
ssh admin@Cluster-1.AcmeRockets.org
- Enter your admin password for the cluster when prompted
- Run the below OpenSSL command to generate the private key. The name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely.
openssl genrsa -des3 -out Cluster-Name.key 2048
In the above example, the name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely.
- When the above command is run successfully, you will be prompted to enter a Passphrase. Use a complex passphrase of at least 13 characters to meet or exceed security best practices.
Generating RSA private key, 2048 bit long modulus
..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ImportantPassPhrase
IMPORTANT: Do not lose the passphrase!
- When prompted, re-enter the passphrase to verify
- Use the command below to create the insecure key using your cluster's name as outlined
openssl rsa -in Cluster-Name.key -out Cluster-Name.key.insecure
- Run the following command to generate the CSR file from the Cluster-Name.key file and enter your passphrase when prompted
openssl req -new -key Cluster-Name.key -out Cluster-Name.csr
- Copy the CSR file off the node to your local desktop by running the command below using the correct variables for your cluster and computer
my_laptop.local $> scp admin@Cluster-1.AcmeRockets.org:~/Cluster-Name.csr ~/Desktop/
- Enter your Qumulo admin password when prompted to successfully copy the certificate
RESOLUTION
You should now be able to successfully submit the created CSR file to your company Certificate Authority to get a valid SSL Certificate to install on your Qumulo cluster
ADDITIONAL RESOURCES
SSL: Complete a new certificate request using a Qumulo-generated CSR
SSL: Install a signed certificate
Like what you see? Share this article with your network!
Comments
2 comments