ViPR 2.2 - Update EMC ViPR Keystore
Table of Contents
Any change to these properties causes ViPR to reboot.
Generate self-signed certificate
Check this option to instruct ViPR to generate a new self-signed certificate.
Private key and Certificate chain
If you have a certificate authority (CA-) signed certificate to upload, or you generated a self-signed certificate externally, upload the private key and certificate chain here. Both uploads are required.
Note that when obtaining a CA-signed certificate, you must provide all IP addresses and FQDNs of the ViPR nodes, and of the VIP. for the ViPR Controller instance.
Note the following requirements for the private key:
- Must be an RSA Private Key.
- The key length must be at least 2048 bits.
Before you begin
- A certificate should not have a password. Remove any password if necessary. The example procedure below includes a step to remove a password from a certificate.
The examples in this procedure use Windows IIS 7 as the CSR generator.
- Generate a CSR using Windows IIS 7 or other CSR application. The CSR should be associated with and created using the FQDN of the ViPR virtual IP address (also known as the VIP or the public virtual IP address). The CSR is a text file that begins ---BEGIN CERTIFICATE REQUEST-- and ends with --END CERTIFICATE REQUEST--.
- Send the CSR generated by step 1 to a certificate authority (CA) such as RSA, VeriSign, etc.
Follow the CA's directions for completing the certificate request. The CA will send back a group of CA-signed crt files.
- Complete the certificate signing request, using the CSR application that you used in step 1.
You may need to complete this step on the host where the CSR originated.
- Once complete, export the private key from the CSR-generating tool. A password may be required; if so, it will be removed in a subsequent step.
If generated by IIS 7, the private key will be a pfx file in PKCS #12 format. Check the format if you are using a different CSR generator.
- Convert the private key to PEM format without certs:
openssl pkcs12 -in iis_pfx_pkey -nocerts -nodes -out new_pem_format_pkey_nocerts
- Check the new pkey file:
openssl rsa -in new_pem_format_pkey_nocerts -checkOutput from the above command should begin with one of the following: BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY.
- Remove the password from the PEM-formatted private key file created above:
openssl rsa -in pem_format_pkey_file -out new_pem_without_pw_pkey
- Check the new pkey file:
openssl rsa -in new_pem_format_pkey_nocerts -check
- Use the ViPR UI to upload the converted private key and hostname crt file to the ViPR keystore at
This step requires the Security Administrator role in ViPR.ViPR nodes will execute a rolling reboot after this step.At the next ViPR UI login, the web browser will show the trusted certificate lock icon. If not, clear the browser cache, then close the browser and launch a new browser session.