Print Email PDF

SSL: Install a Signed SSL Certificate

IN THIS ARTICLE

Outlines how to install a signed valid SSL certificate issued by your Certificate Authority (CA) to your Qumulo cluster

  • Install the signed SSL Certificate to the cluster
  • Mac OS X Client Example

REQUIREMENTS

  • Admin privileges to your Qumulo cluster
  • SSL Certificate based on your CSR file has been generated by your CA
  • CA-bundle PEM chain which must be ordered in the following format:
$ cat certbundle.pem

-----BEGIN CERTIFICATE-----
YOUR CERT HERE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
INTERMEDIATE CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOT CA
-----END CERTIFICATE-----

NOTE: In the examples below, sli-q2 is the name of the cluster

PROCESS

Install the signed SSL Certificate

  • Verify that the certificate and ca-bundle are in PEM formats:
$ file *
certbundle.pem: PEM certificate
private.key: PEM RSA private key
  • If your key is not an RSA key, you can convert it with the following command:
$ file original.key
original.key: ASCII text

$ openssl rsa -in original.key -out private.key
writing RSA key

$ file private.key
private.key: PEM RSA private key
  • Logged in as admin, install the certificate using the following qq command:
qq ssl_modify_certificate
  • See example below:
[~/qumulo_api]$ ./qq --host sli-q2 login -u admin
Password:

[~/qumulo_api]$ ./qq --host sli-q2 ssl_modify_certificate -c certbundle.pem -k private.key.insecure

null

Mac OS Client Example of Importing a CA Cert

  • Open Keychain Access
  • Select Login and click Certificates
  • Drag and drop the CA Cert into the list

Import_cert_keychain.png

  • Get Info on the Certificate to access settings by clicking the "i" button
  • Choose Always trust in the dropdown for "When using this certificate"

Accept_CA_cert_keychain.png

  • Check the security in your browser to verify installation

NOTE: Restart your browser to ensure the changes take effect.

Insecure

1024px-Insecure_CA.png

Secure

1024px-Secure_CA.png

IMPORTANT! A NET::ERR_CERT_COMMON_NAME_INVALID error specifying the connection isn't private may occur if the certificate doesn't have the correct subjectAlternativeName extension (not commonName) in the form of a domain name or IP address to match the domain name and site certificate. Additionally, the Security panel may display a Subject Alternative Name Missing warning in Chrome DevTools if the certificate is missing the subjectAlternativeName extension. To resolve this Chrome Enterprise known error issue in Google Chrome versions 58 thru 65, set the EnableCommonNameFallbackForLocalAnchors policy to use the commonName of a certificate to match a hostname if the certificate is missing. 

RESOLUTION

You should now be able to successfully install a signed SSL Certificate issued by your CA to your Qumulo cluster 

ADDITIONAL RESOURCES

SSL: Generate a Certificate Signing Request (CSR)

QQ CLI: LDAP and Certificates

 

Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.