Importing and Activating a Certificate

When a storage system is communicating with an external device, you are advised to use the certificate verification mode to improve service security. It is recommended that you replace the default security certificate with a certificate applied from an official authority and replace the certificate that has expired or is about to expire in a timely manner. This operation enables you to import and activate a certificate.

Context

  • When updating the security certificate of an internal service, wait until the certificate update is complete (that is, until the system records a log indicating that the certificate update is successful or failed) before updating certificates in other scenarios.
  • During certificate update, you must not scale in or out a cluster, replace components, or power on or off a cluster.

Prerequisites

  1. You have obtained the request file. For details, see Exporting a Certificate Request File.
  2. After exporting the request file, you have issued a certificate file through the CA and obtained the issued digital certificate and CA certificate of the CA:

Procedure

  1. Choose Settings > Certificate > Certificate Management.
  2. Select a desired certificate and click Import and Activate.

    • The prompt messages for importing and activating certificates vary in different scenarios. This online help uses importing and activating HyperMetro arbitration certificates as an example.
    • When a customer updates the DeviceManager and DswareTool certificates, if a third-party NMS connects to the storage system through a RESTful interface and the customer wants to obtain the complete certificate chain information during link negotiation, the imported certificate must contain the complete certificate chain information. To obtain the complete certificate chain file, perform the following steps:
      1. Use Notepad to open the server certificate, intermediate CA certificate, and root CA certificate.
      2. Add the intermediate CA certificate and root CA certificate to the server certificate file based on the SSL certificate chain format. Generally, an organization describes the complete certificate chain format when issuing a certificate. For details, see related rules. The common format is as follows (there is no blank line between certificates):

        -----BEGIN CERTIFICATE-----

        Server certificate

        -----END CERTIFICATE-----

        -----BEGIN CERTIFICATE-----

        Intermediate CA certificate

        -----END CERTIFICATE-----

        -----BEGIN CERTIFICATE-----

        Root CA certificate

        -----END CERTIFICATE-----

      3. Save the server certificate to obtain a certificate that contains a complete certificate chain.

  3. Set Certificate File, CA Certificate File, and Private Key File as required.

    Only plaintext private keys are supported.

  4. Click OK.

    • After you import and activate a certificate in one scenario, choose Monitor > Alarms and Events > Events. Wait until certificate import success, certificate activation success, and certificate update success events are displayed in sequence, and then import and activate the certificate in the next scenario. Before a certificate is updated, related service operations may fail. Try again after the certificate is updated.
    • HA-related alarms may be generated during the update of Internal system service security certificate. The alarms will be automatically cleared after the certificate is updated.

Parent topic: Managing Certificates