ViPR 2.2 - Update EMC ViPR Keystore

Table of Contents

Update EMC ViPR Keystore

EMC ViPR generates a self-signed certificate on startup, but you can generate a new self-signed certificate at Security > Keystore. If you want ViPR to use a CA-signed certificate, you can upload it here.

Any change to these properties causes ViPR to reboot.

Generate self-signed certificate

Check this option to instruct ViPR to generate a new self-signed certificate.

Private key and Certificate chain

If you have a certificate authority (CA-) signed certificate to upload, or you generated a self-signed certificate externally, upload the private key and certificate chain here. Both uploads are required.

Note that when obtaining a CA-signed certificate, you must provide all IP addresses and FQDNs of the ViPR nodes, and of the VIP. for the ViPR Controller instance.

Note the following requirements for the private key:

Back to Top

Create and import a CA-signed certificate into ViPR

You can create a certificate signed by a certificate authority (CA) and import it into ViPR. The following process includes the steps from Certificate Signing Request (CSR) to final private key and CA signed certificate (.crt) ViPR import.

Before you begin

Procedure

  1. Generate a CSR using Windows IIS 7 or other CSR application. The CSR should be associated with and created using the FQDN of the ViPR virtual IP address (also known as the VIP or the public virtual IP address). The CSR is a text file that begins ---BEGIN CERTIFICATE REQUEST-- and ends with --END CERTIFICATE REQUEST--.
  2. Send the CSR generated by step 1 to a certificate authority (CA) such as RSA, VeriSign, etc.
    Follow the CA's directions for completing the certificate request. The CA will send back a group of CA-signed crt files.
  3. Complete the certificate signing request, using the CSR application that you used in step 1.
    You may need to complete this step on the host where the CSR originated.
  4. Once complete, export the private key from the CSR-generating tool. A password may be required; if so, it will be removed in a subsequent step.
    If generated by IIS 7, the private key will be a pfx file in PKCS #12 format. Check the format if you are using a different CSR generator.
  5. Convert the private key to PEM format without certs:
    openssl pkcs12 -in iis_pfx_pkey -nocerts -nodes -out new_pem_format_pkey_nocerts
  6. Check the new pkey file:
    openssl rsa -in new_pem_format_pkey_nocerts -check
    Output from the above command should begin with one of the following: BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY.
  7. Remove the password from the PEM-formatted private key file created above:
    openssl rsa -in pem_format_pkey_file -out new_pem_without_pw_pkey
  8. Check the new pkey file:
    openssl rsa -in new_pem_format_pkey_nocerts -check
  9. Use the ViPR UI to upload the converted private key and hostname crt file to the ViPR keystore at Security > Keystore.
    This step requires the Security Administrator role in ViPR.
    ViPR nodes will execute a rolling reboot after this step.
    At the next ViPR UI login, the web browser will show the trusted certificate lock icon. If not, clear the browser cache, then close the browser and launch a new browser session.
Back to Top