In this section:
The following procedures are performed on the Web UI. In order to login to the Web UI for the first time, you must add a security exception to the browser (refer to DSC System Access or SP2000 System Access).
If your IT department blocks self-signed certificates or you cannot access the Web UI, either place a request to your IT department to allow access or use the CLI procedures (refer to Configuring CA-signed Certificates Using CLI).
If you need to restore your CA-signed certificates, refer to Backing up or Restoring CA-signed Certificates.
In order to obtain a CA-signed certificate, you must first create a certificate signing request (CSR) to submit to a certificate authority (see To generate a CSR file). Only after you receive the CA-issued certificates, may you import the certificates into the Web UI (see To import CA-signed certificates).
The DSC - SP2000 Platform software allows the generation of several CSR files.
Once the certificates are imported, it is strongly recommend you backup the CA-signed configuration; refer to Backing up or Restoring CA-signed Certificates.
Use the backup to restore the configuration at any time. Store the backup file in a secured manner as it contains sensitive information.
Common Name
The Common Name contains the DNS name that resolves to the shared (floating) IP of the management nodes.
Email Address
DNS 1, 2, and 3
Set the alternative Domain Name System (DNS) names DNS 1, DNS 2, and DNS 3 as follows:
Failure to set alternative DNS names resolving to the shared and management slot IPs in the CSR form and then importing CA-signed certificates based on this CSR might disable access to one of the management nodes.
Click Submit.
The scripts required for generating the CSR file and corresponding keys will take a few seconds to complete.
Once complete, the CSR file is saved to the management node and is available for downloading.
On the Apache Certificate screen, click View CSR to view the CSR file.
If all the information is correct, click the file name under File Name and download the file to the appropriate location on your desktop.
Submit the CSR file to the appropriate certificate authority to obtain the CA-signed certificates.
Do not delete the CSR file being submitted to CA before installing the certificates. The delete for the CSR also removes the corresponding private key and may cause the installation of CA-signed certificate to fail.
In the unlikely event you need to upgrade your system before installing the CA-signed certificates, you will lose the CSR and corresponding private key. This will cause the installation of the CA-signed certificate to fail. After the upgrade is complete, repeat this procedure to create a new CSR and request new CA-signed certificates.
After you receive the CA-signed certificates, import the certificate into the Web UI (see To import a CA-signed certificate).
You will be issued with certificate bundle that contains a server certificate and an intermediate (or chain) certificate.
Before importing the certificates, verify that the DNS names are properly resolved. If the DNS names, are not resolved, contact your IT department.
Select the Server CA-signed certificate file.
Click Import Certificates.
The certificates will install and the Web UI will restart. The reconfiguration takes approximately 10 seconds. This does not affect traffic service.
Once the Web UI reappears, the lock icon on the web browser appears green to indicate that it is now secure.
After a successful import, verify that management nodes are accessible on all three DNS and in a secure fashion. Henceforth, access the Web UI through the DNS, not the IP.
The import may fail if the imported certificates are not in the correct certificate format (.crt) or do not correspond to any of the private keys found on the server, or there is a mismatch between an intermediate (chain) certificate and a server certificate.
If the import operation fails, the system keeps the current self-signed configuration. To use the CA-signed certificate configuration, either restore the files from backup or repeat the generate CSR file and import CA-certificate procedures.
If you are unable to access the Web UI after importing the CA-certificate, use the CLI procedures to revert back to self-signed certificates and then recreate the CA-certificate (refer to Configuring CA-signed Certificates Using CLI).
The revert operation wipes out the CA-signed configuration.
If you revert back to self-signed certificates, you will be required to add a security exception to the browser (refer to DSC System Access or SP2000 System Access) before you can login to the Web UI.
Use the following procedures to view the CSR or certificate information.
Any user may view the installed certificate information.
The details include the certificate authority used to sign the certificate and expiration date of the certificate.
Do not delete a CSR request before importing the CA-signed certificates corresponding to this CSR as this may cause the import operation to fail.
It is strongly recommended that you do not delete a CSR corresponding to imported CA-signed certificates, even after the certificates have been imported.