SSL: Generate a Certificate Signing Request (CSR)

REQUIREMENTS

Admin privileges to your Qumulo cluster
A computer with SSH installed
A computer with SCP installed

PROCESS

Qumulo clusters come with a self-signed SSL Certificate installed that will enable traffic to be encrypted for your browser sessions but will trigger an untrusted or self-signed certificate error in a modern web browser. To avoid this error, you can generate a CSR file to submit to your Certificate Authority to get a valid SSL Certificate for your cluster.

SSH to the first node in your Qumulo cluster as the Qumulo Admin account using your clusters fully qualified domain name or IP address

ssh admin@Cluster-1.AcmeRockets.org

Enter your admin password for the cluster when prompted
Run the below OpenSSL command to generate the private key. The name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely.

openssl genrsa -des3 -out Cluster-Name.key 2048

In the above example, the name of the Qumulo Cluster (Cluster-Name) is used to ensure the .key and .csr files are named uniquely.

When the above command is run successfully, you will be prompted to enter a Passphrase. Use a complex passphrase of at least 13 characters to meet or exceed security best practices.

Generating RSA private key, 2048 bit long modulus
..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ImportantPassPhrase

IMPORTANT: Do not lose the passphrase!

When prompted, re-enter the passphrase to verify
Use the command below to create the insecure key using your cluster's name as outlined

openssl rsa -in Cluster-Name.key -out Cluster-Name.key.insecure

Run the following command to generate the CSR file from the Cluster-Name.key file and enter your passphrase when prompted

openssl req -new -key Cluster-Name.key -out Cluster-Name.csr

Copy the CSR file off the node to your local desktop by running the command below using the correct variables for your cluster and computer

my_laptop.local $> scp admin@Cluster-1.AcmeRockets.org:~/Cluster-Name.csr ~/Desktop/

Enter your Qumulo admin password when prompted to successfully copy the certificate

RESOLUTION

You should now be able to successfully submit the created CSR file to your company Certificate Authority to get a valid SSL Certificate to install on your Qumulo cluster

ADDITIONAL RESOURCES

SSL: Complete a new certificate request using a Qumulo-generated CSR

SSL: Install a signed certificate

QQ CLI: LDAP and Certificates

Like what you see? Share this article with your network!

Was this article helpful?

0 out of 1 found this helpful

Comments

2 comments

Gerard Weatherby
June 27, 2018 17:40

It's unclear what to use for "cluster name."? If our cluster name is "filesystem" and our local domain is "example.org", is the cluster name here "filesystem", or "filesystem.example.org"?

1
Dave
June 29, 2018 17:51

Hello Gerard,

Great question and my apologies for the delayed response. The cluster-name name in the example commands is just for naming the KEY and CSR files. The examples used are to help customers that may have one more Qumulo clusters, and by using the cluster name you ensure that the CSR and KEY files will have unique names.

You Could use the FQDN if you would like or if you have two Qumulo Clusters that have the same name but different FQDNs. For example, if you have QC40.NYC.ACME-Rockets.com & QC40.LA.ACME-Rockets.com, you may want to use the FQDN to ensure you use the correct CSR and Key for each cluster when generating your certificate from your Certificate Authority server or service.

1

Please sign in to leave a comment.