SSL: Complete a new certificate request using a Qumulo-generated CSR

IN THIS ARTICLE 

Outlines how to complete a self-signed certificate request using a Qumulo-generated CSR on a Windows Certificate Authority

REQUIREMENTS

• Admin privileges for your Qumulo cluster
• A computer with SSH and SCP clients installed
• An existing CSR generated by Qumulo (see SSL: Generate a Certificate Signing Request for details)
• A Windows CA

DETAILS

While Qumulo clusters come with a self-signed SSL certificate installed that will enable traffic to be encrypted for your browser sessions, the certificate will still trigger an untrusted or self-signed certificate error in a modern web browser until it has been validated by a Certificate Authority (CA). To avoid this error, you must first generate a Certificate Signing Request (CSR); see SSL: Generate a Certificate Signing Request for instructions to do so.

Once you’ve generated your CSR, you must submit the generated certificate to your CA following the steps detailed in this article. Note that these steps must be executed while logged in as a system administrator.

1. Open the Start menu and type cmd to open a command prompt on your Windows CA.
   
   
   
   
2. Use the following code to append a certificate template to your CSR with the certreq.exe tool.
   NOTE: This is necessary because the Windows Certificate Authority requires the certificate to serve a purpose or else the signing request will be unsuccessful.

   C:\>Certreq.exe -attrib "CertificateTemplate:WebServer" -submit Cluster-name.csr

3. Save the CSR back to its original location with the same name.
4. Reopen the Start menu and type iis to access the Internet Information Services (IIS) Manager.
   
   
   
   
5. Double-click the Server Certificates link in the IIS section.
   
   
   
   
6. Click Complete Certificate Request in the Actions pane.
   
   

   

7. When are you are redirected to the File Explorer (as seen below), change the drop-down to expose all file types (*.*).
   
   
   
   
8. Select the saved CSR from Step 3.
9. Open the Start menu and type mmc to access the Microsoft Management Console (MMC).
10. Click File > Add/Remove Snap-in... to open the Certificates MMC snap-in.
    
    
    
    
11. Select Local Computer and navigate to Personal Certificates.
12. Browse to your new certificate and right-click it.
13. Select Export... under All Tasks.
    
    
    
    
14. Make selections in the Certificate Export Wizard as shown in the image below:
    
    
    
    
15. Copy the .p7b cert bundle created by the export process to a local Qumulo directory using WinSCP.
16. SSH into the Qumulo node and convert the .p7b cert bundle to .pem format using the following command:
    

    root@qumulo-1:~# openssl pkcs7 -in mybundle.p7b -inform DER -print_certs -out cert.pem

17. Finally, load the certificate using the qq CLI with the following command:
    

    root@qumulo-1:~# qq ssl_modify_certificate -c cert.pem -k my.key.insecure

RESOLUTION

You should now successfully be able to complete a self-signed certificate request using a Qumulo-generated CSR on a Windows Certificate Authority

ADDITIONAL RESOURCES  

SSL: Generate a Certificate Signing Request

SSL: Install a signed certificate

QQ CLI: LDAP and Certificates

Like what you see? Share this article with your network!