IN THIS ARTICLE
Outlines how to install a signed valid SSL certificate issued by your Certificate Authority (CA) to your Qumulo cluster
- Install the signed SSL Certificate to the cluster
- Mac OS X Client Example
REQUIREMENTS
- Admin privileges to your Qumulo cluster
- SSL Certificate based on your CSR file has been generated by your CA
- Reference the article SSL: Generate a Certificate Signing Request for additional details
- CA-bundle PEM chain which must be ordered in the following format:
$ cat certbundle.pem
-----BEGIN CERTIFICATE-----
YOUR CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
INTERMEDIATE CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOT CA
-----END CERTIFICATE-----
NOTE: In the examples below, sli-q2 is the name of the cluster
PROCESS
Install the signed SSL Certificate
- Verify that the certificate and ca-bundle are in PEM formats:
$ file *
certbundle.pem: PEM certificate
private.key: PEM RSA private key
- If your key is not an RSA key, you can convert it with the following command:
$ file original.key
original.key: ASCII text
$ openssl rsa -in original.key -out private.key
writing RSA key
$ file private.key
private.key: PEM RSA private key
- Logged in as admin, install the certificate using the following qq command:
qq ssl_modify_certificate
- See example below:
[~/qumulo_api]$ ./qq --host sli-q2 login -u admin
Password:
[~/qumulo_api]$ ./qq --host sli-q2 ssl_modify_certificate -c certbundle.pem -k private.key.insecure
null
Mac OS Client Example of Importing a CA Cert
- Open Keychain Access
- Select Login and click Certificates
- Drag and drop the CA Cert into the list
- Get Info on the Certificate to access settings by clicking the "i" button
- Choose Always trust in the dropdown for "When using this certificate"
- Check the security in your browser to verify installation
NOTE: Restart your browser to ensure the changes take effect.
Insecure
Secure
IMPORTANT! A NET::ERR_CERT_COMMON_NAME_INVALID error specifying the connection isn't private may occur if the certificate doesn't have the correct subjectAlternativeName extension (not commonName) in the form of a domain name or IP address to match the domain name and site certificate. Additionally, the Security panel may display a Subject Alternative Name Missing warning in Chrome DevTools if the certificate is missing the subjectAlternativeName extension. To resolve this Chrome Enterprise known error issue in Google Chrome versions 58 thru 65, set the EnableCommonNameFallbackForLocalAnchors policy to use the commonName of a certificate to match a hostname if the certificate is missing.
RESOLUTION
You should now be able to successfully install a signed SSL Certificate issued by your CA to your Qumulo cluster
ADDITIONAL RESOURCES
SSL: Generate a Certificate Signing Request (CSR)
SSL: Complete a new certificate request using a Qumulo-generated CSR
Like what you see? Share this article with your network!
Comments
0 comments