An alternative to using a CA to sign a CSR is to use OpenSSL to sign the certificate request.
Creating the Signed Certificate
Note:
The OpenSSL creation steps should never be performed on a FlashArray and should only be taken on an OpenSSL deployment in your environment.
Here are the steps for creating a signed certificate with OpenSSL.
- It is a good idea to first create a directory for the certificates. For example:
## Create a Directory for the Certificates ## mkdir ~/VASA-Certs ## Create a directory for each FlashArray controller ## mkdir ~/VASA-Certs/sn1-405-c12-21-ct0 mkdir ~/VASA-Certs/sn1-405-c12-21-ct1 - Next, create a v3.ext file for vasa-ct0 and vasa-ct1. The important part here is to make sure the correct Subject Alternate Name (SAN) in the v3.ext file.
## Using vim (or any text editor) create a v3.ext file with the following ## [req] default_bits = 2048 prompt = no default_md = sha256 [v3_ca] subjectAltName = IP:<IP address of controller> ## So for example ## vim ~/VASA-Certs/sn1-405-c12-21-ct0/v3.ext [req] default_bits = 2048 prompt = no default_md = sha256 [v3_ca] subjectAltName = IP:10.21.88.117 vim ~/VASA-Certs/sn1-405-c12-21-ct1/v3.ext [req] default_bits = 2048 prompt = no default_md = sha256 [v3_ca] subjectAltName = IP:10.21.88.118 - A root certificate will need to be created with OpenSSL.
openssl genrsa -passout pass:test -des3 -out rootCA.key 4096 openssl req -x509 -new -passin pass:test -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/O=Pure Storage/OU=Solutions Engineering/CN=Pure Storage" - After the Root Cert is created, generate a private key and generate the CSR for VASA-CT0 and VASA-CT1. Make sure that the Common Name of the CSR matches the IP address from the subject alternate name.
Make sure that the O and OU for the CSR is not Everpure for both entries. The email address and password can both be skipped as well by pressing enter.
##Creating Private Keys## openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.key 2048 openssl genrsa -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.key 2048 ##Creating CSRs## openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct0/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct0/server.csr openssl req -new -key ~/VASA-Certs/sn1-405-c12-21-ct1/server.key -out ~/VASA-Certs/sn1-405-c12-21-ct1/server.csr - Create the signed certificates by signing the CSR with the Root Cert that was created.
cd ~/VASA-Certs/sn1-405-c12-21-ct0/ openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729 cd ~/VASA-Certs/sn1-405-c12-21-ct1/ openssl x509 -req -passin pass:test -in server.csr -CA ../rootCA.crt -CAkey ../rootCA.key -CAcreateserial -out server.crt -extfile v3.ext -extensions v3_ca -days 729 - Either copy the RootCA that was created to vCenter (with scp, etc) or create a .pem file the cert. This will be needed to make sure that the trusted root cert is in vCenter in the following step.
Importing the OpenSSL signed Certificate on the FlashArray