Page 1 of 1

Certificate Management (3.3.1 MU5) and your OWN CA

Posted: Thu May 06, 2021 2:13 am
by adamdb
Hi all,

was picking up an issue with a customer 3PAR which began generating alarms with regard to expired certificates. On inspection it appears that at some point the customer has created their own signed certs for specfiic services (wsapi/cim/cli) but have left the old unified-server entry as self signed. Also I don't believe any cleanup was done during the cert replacement process for wsapi, cli and cim which has resulted in these expired certs being left behind.

edited example below. It seems some signed certs were installed for CIM, CLI and WSAPI but not for unified-server. Also no cleanup was done of the old self signed (MY3PAR.domain.com) certs which are now alarming due to expiry

Service Commonname Type Enddate Fingerprint
cim* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cim* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cli* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* MY3PAR.domain.com intca Jul 14 15:23:26 2019 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-issuing-ca-01 intca Jun 20 07:54:11 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wsapi* domain-RCA-01 rootca Jun 20 07:50:07 2027 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
unified-server* MY3PAR.domain.com cert Nov 26 08:54:06 2022 GMT xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The oddest thing of all is that from what i can tell wsapi (which i can test by connecting the URL) is still using the self signed 'unified-server' cert.

So my question is really the following..

I believe the correct approach would to remove everything in the first instance.

so would issue

removecert

removecert unified-server

once this has been done the next steps would be install new certs. This is where i require clarification. If the customer wishes to use their own certificate chain do i just need to create a signing request for 'unified-server' as it appears this is what gets served up anyway? Or do I need to create signing requests for each service INCLUDING unified-server.

My gut feeling is all that is needed is the following.

If just following the self-signed route then all i need is

createcert unified-server -selfsigned -CN "<CERT CN>"

However if going down my own CA route then I would need to get a CSR for unified-server created and signed.

createcert unified-server -csr -keysize 2048 -C Country -ST Country -L City -O "MyOrg" -OU "MyOU" -CN MY3PAR.Name -SAN DNS:DNSNAME,IP:xxx.xxx.xxx.xxx myCERT.txt
Once I had this MyCert.txt I'd get that signed by my cert authority.

Once done I need to import everything back in

Import root CA

importcert unified-server -ca RootCA_B64.pem

Import Intermediate CA if needed

importcert unified-server -ca IssuingCA.pem

Finally import the array cert

importcert unified-server MY3PAR.name.pem


Oh and I guess you'd need to stop wsapi and start it again before and after these steps to ensure it gets the new cert.

I believe that's all that's needed and you don't need to go down the route of creating signed certs of wsapi, cli and cim individually.

I did reach out to support to confirm the steps but its been some time and we're not getting anything useful so i thought I'd try here.

It is slightly confusing as the 3PAR manual says "The unified-server establishes a common certificate among CIM, CLI, and WSAPI." however it then shows examples of importing certificates for individual services

"cli% importcert cli cli-service.pem ca.pem"

for example. A bit confusing...

Hopefully someone will confirm these steps are broadly correct and only the signed unified-server cert is needed along with any root and issuing CA for the company.

(this was posted on HPE forums but go zero replies so I'm hoping someone on here can confirm if this is the correct approach)

thanks in advance.


< UPDATE>

Typical! I post on here and 10 minutes later someone finally replies elsewhere. So it would appear only UNIFIED-SERVER CERT is needed for everything so will get a CSR generated for that and I should be golden.