In this section:

Before you Begin

The following procedures are performed on the Web UI. In order to login to the Web UI for the first time, you must add a security exception to the browser (refer to DSC System Access or SP2000 System Access). 

Note

If your IT department blocks self-signed certificates or you cannot access the Web UI, either place a request to your IT department to allow access or use the CLI procedures (refer to Configuring CA-signed Certificates Using CLI).

If you need to restore your CA-signed certificates, refer to Backing up or Restoring CA-signed Certificates.

Generating a CSR file and Installing CA-signed certificates

In order to obtain a CA-signed certificate, you must first create a certificate signing request (CSR) to submit to a certificate authority (see To generate a CSR file). Only after you receive the CA-issued certificates, may you import the certificates into the Web UI (see To import CA-signed certificates).

Note

The DSC - SP2000 Platform software allows the generation of several CSR files.

Note

Once the certificates are imported, it is strongly recommend you backup the CA-signed configuration; refer to Backing up or Restoring CA-signed Certificates.

Use the backup to restore the configuration at any time. Store the backup file in a secured manner as it contains sensitive information.


To generate a CSR file

  1. Login to Web UI as a root user.  
  2. Click IP Networking.
  3. Click IP Security.
  4. Click Apache Certificate.

          
  5. Click Create CSR Request.
  6. Enter the appropriate information into fields for the CSR.
    The following fields are mandatory:
    1. Country Name
    2. State or Province Name
    3. Locality Name
    4. Organization Name
    5. Organizational Unit Name

    6. Common Name

      Tip

      The Common Name contains the DNS name that resolves to the shared (floating) IP of the management nodes.

    7. Email Address

    8. DNS 1, 2, and 3 

      Tip

      Set the alternative Domain Name System (DNS) names DNS 1, DNS 2, and DNS 3 as follows:

      • DNS 1: set as DNS that resolves to the shared IP
      • DNS 2: set as DNS that resolves to a management IP
      • DNS 3: set as DNS that resolves to the other management IP
      Caution

      Failure to set alternative DNS names resolving to the shared and management slot IPs in the CSR form and then importing CA-signed certificates based on this CSR might disable access to one of the management nodes. 

  7. Click Submit.

    Tip

    The scripts required for generating the CSR file and corresponding keys will take a few seconds to complete.

    Once complete, the CSR file is saved to the management node and is available for downloading.

  8. On the Apache Certificate screen, click View CSR to view the CSR file.        

  9. Perform one of the following actions:
    1. If any information needs to be corrected, delete the CSR file and re-create the file.

    2. If all the information is correct, click the file name under File Name and download the file to the appropriate location on your desktop.

  10. Submit the CSR file to the appropriate certificate authority to obtain the CA-signed certificates.

    Caution

    Do not delete the CSR file being submitted to CA before installing the certificates. The delete for the CSR also removes the corresponding private key and may cause the installation of CA-signed certificate to fail.

    Caution

    In the unlikely event you need to upgrade your system before installing the CA-signed certificates, you will lose the CSR and corresponding private key. This will cause the installation of the CA-signed certificate to fail. After the upgrade is complete, repeat this procedure to create a new CSR and request new CA-signed certificates.

  11. After you receive the CA-signed certificates, import the certificate into the Web UI (see To import a CA-signed certificate).

    Tip

    You will be issued with certificate bundle that contains a server certificate and an intermediate (or chain) certificate.

    Before importing the certificates, verify that the DNS names are properly resolved. If the DNS names, are not resolved, contact your IT department.

To import CA-signed certificates

  1. Login to Web UI as a root user.
  2. Click IP Networking.  
  3. Click IP Security.
  4. Click Apache Certificate. 
  5. In the row for Server CA-signed Certificate, click Choose File.

  6. Select the Server CA-signed certificate file.

  7. Click Open
  8. In the row for Chain Certificate, click Choose File.
  9. Select Chain certificate file.
  10. Click Open.

  11. Click Import Certificates.

    Tip

    The certificates will install and the Web UI will restart. The reconfiguration takes approximately 10 seconds. This does not affect traffic service.

    Once the Web UI reappears, the lock icon on the web browser appears green to indicate that it is now secure. 

After a successful import, verify that management nodes are accessible on all three DNS and in a secure fashion. Henceforth, access the Web UI through the DNS, not the IP.

The import may fail if the imported certificates are not in the correct certificate format (.crt) or do not correspond to any of the private keys found on the server, or there is a mismatch between an intermediate (chain) certificate and a server certificate.

If the import operation fails, the system keeps the current self-signed configurationTo use the CA-signed certificate configuration, either restore the files from backup or repeat the generate CSR file and import CA-certificate procedures. 

If you are unable to access the Web UI after importing the CA-certificate, use the CLI procedures to revert back to self-signed certificates and then recreate the CA-certificate (refer to Configuring CA-signed Certificates Using CLI).

Note

The revert operation wipes out the CA-signed configuration.


Reverting back to Self-signed certificates

If you revert back to self-signed certificates, you will be required to add a security exception to the browser (refer to DSC System Access or SP2000 System Access) before you can login to the Web UI. 

To revert back to self-signed certificates

  1. Log in to Web UI as a root user.
  2. Click IP Networking.
  3. Click IP Security.
  4. Click Apache Certificate.    
  5. Click Revert to Self-Signed Certificate.

Viewing the CSR and Certificate Information

Use the following procedures to view the CSR or certificate information.

Note

Any user may view the installed certificate information.

To view CSR file on system

  1. Log in to Web UI as a root user.
  2. Click IP Networking.
  3. Click IP Security.
  4. Click Apache Certificate.      
  5. In the row for the selected file, click View CSR.

To view the CA certificate details

  1. Log in to Web UI.
  2. Click IP Networking.
  3. Click IP Security.    
  4. Click Apache Certificate.    
  5. Click View Certificate Details.


Tip

The details include the certificate authority used to sign the certificate and expiration date of the certificate. 

Deleting the CSR file from the system

Caution

Do not delete a CSR request before importing the CA-signed certificates corresponding to this CSR as this may cause the import operation to fail.

Note

It is strongly recommended that you do not delete a CSR corresponding to imported CA-signed certificates, even after the certificates have been imported.

To delete CSR file on system

  1. Log in to Web UI as a root user.
  2. Click IP Networking.
  3. Click IP Security
  4. Click Apache Certificate.    
  5. In the row for the selected file, click X.