Register SSL Certificate

Overview

This function registers the SSL server key and the SSL server certificate which was obtained from the certification authority.

The following two methods are available for obtaining an "SSL server key" and an "SSL server certificate".

Using the [Create Key/CSR] function of this storage system

Create an "SSL server key" and a "Certificate Signing Request (CSR)" using the [Create Key/CSR] function and send them to the certification authority to obtain an "SSL server certificate".
Using a tool or website other than this storage system

Use a publicly available tool or website to obtain an "SSL server key" and an "SSL server certificate" issued from the certification authority.

When registering an SSL server certificate, the following operations and confirmations are required. Follow the procedure to perform the required operations.

Back up the SSL server certificate that is currently registered in the storage system.
Stop access from the SMI-S client and RESTful API client and log out all the Web GUI users (other than yourself) currently logged in to the storage system.
Use this function to create an SSL server key and an SSL server certificate, and then log out from Web GUI.

After the registration is instructed, HTTP/HTTPS communications are stopped to apply the certificate to the storage system. Access from Web GUI or RESTful API via the HTTP/HTTPS connection is not available until the certificate is applied.
After Step 3 is completed, wait a few minutes and then check the following error log. Refer to "Display/Delete Event Log" for details.
- When RESTful API is disabled
  
  Network service startup error. service=GUI <ce#$b cm#$c factor=$d>
- When RESTful API is enabled
  
  Network service startup error. service=GUI <ce#$b cm#$c factor=$d>
  
  and
  
  Network service startup error. service=Restful API <ce#$b cm#$c factor=$d>
If an error log is output in Step 4, re-execute the procedure from Step 2. If no error logs are output in Step 4, proceed to Step 6.
If RESTful API is enabled, apply the SSL server certificate to the RESTful API client and then restart the HTTPS communication.

Caution

The HTTPS connection from Web GUI is disabled in the factory settings.
The "SSL server certificate" in the PFX format must be converted to the Privacy Enhanced Mail (PEM) format in advance. This function does not support "SSL server certificates" in the PFX format. Refer to "How to convert and register "SSL server certificates" in the PFX format" for details.
Register the SSL server key and the SSL server certificate as a pair in the storage system. If the combination of the SSL server key and the SSL server certificate is incorrect, access from RESTful API and Web GUI via the HTTPS connection is not possible.
After the SSL server key and the SSL server certificate are registered, access from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until they are applied to the storage system.
When the SSL server key and the SSL server certificate are registered in the storage system, the setting PC, which has accessed to Web GUI via the HTTPS connection, will be forced to disconnect.
If this function is executed while the following conditions are all satisfied, a message requesting the reboot of SMI-S appears in the result screen. Refer to the [Setup SMI-S Environment] function for details.
- "Enable" is selected for "SMI-S"
- "Web GUI SSL Certificate" is selected for "SSL Certificate"

Note

There are two types of SSL certificate: the "SSL server certificate" and the "self-signed SSL certificate". Register either of the certificates in the storage system when using the HTTPS connection. To use the "self-signed SSL certificate", use the [Create Self-signed SSL Certificate] function.

How to convert and register "SSL server certificates" in the PFX format
The storage system supports the registration of certificates in the Privacy Enhanced Mail (PEM) format, but does not support certificates in the PFX format. Use software such as OpenSSL to convert certificates in the PFX format to the PEM format, and then register the "secret key (key file)" and the "SSL server certificate (crt file)" in the storage system. <Setting Example When OpenSSL Is Used> customer.pfx: Files in the PFX format before the conversion customer.key: Files in the PEM format after the conversion (secret keys) customer.crt: Files in the PEM format after the conversion (SSL server certificates) Confirm that the PFX formatted "SSL server certificate" includes the secret key and the SSL server certificate. openssl pkcs12 -nodes -info -in customer.pfx Convert the PFX formatted "SSL server certificate" to the PEM formatted "secret key (key file)". openssl pkcs12 -in customer.pfx -out customer.key -nodes -nocerts Convert the PFX formatted "SSL server certificate" to the PEM formatted "SSL server certificate (crt file)". openssl pkcs12 -in customer.pfx -out customer.crt -nodes -nokeys Register the PEM formatted "secret key (key file)" and "SSL server certificate (crt file)" in the storage system by using this function. Caution Depending on the version of the software that is used for conversions, registration of the converted files may fail. Use the latest version of the software and confirm that the conversion is performed successfully.

How to convert and register "SSL server certificates" in the PFX format

The storage system supports the registration of certificates in the Privacy Enhanced Mail (PEM) format, but does not support certificates in the PFX format. Use software such as OpenSSL to convert certificates in the PFX format to the PEM format, and then register the "secret key (key file)" and the "SSL server certificate (crt file)" in the storage system.

<Setting Example When OpenSSL Is Used>

customer.pfx: Files in the PFX format before the conversion

customer.key: Files in the PEM format after the conversion (secret keys)

customer.crt: Files in the PEM format after the conversion (SSL server certificates)

Confirm that the PFX formatted "SSL server certificate" includes the secret key and the SSL server certificate.

openssl pkcs12 -nodes -info -in customer.pfx
Convert the PFX formatted "SSL server certificate" to the PEM formatted "secret key (key file)".

openssl pkcs12 -in customer.pfx -out customer.key -nodes -nocerts
Convert the PFX formatted "SSL server certificate" to the PEM formatted "SSL server certificate (crt file)".

openssl pkcs12 -in customer.pfx -out customer.crt -nodes -nokeys
Register the PEM formatted "secret key (key file)" and "SSL server certificate (crt file)" in the storage system by using this function.

Caution

Depending on the version of the software that is used for conversions, registration of the converted files may fail. Use the latest version of the software and confirm that the conversion is performed successfully.

User Privileges

Availability of Executions in the Default Role

Default role	Availability of executions
Monitor
Admin
StorageAdmin
AccountAdmin
SecurityAdmin
Maintainer

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

Register SSL Certificate Setting

Item	Description	Setting values
SSL Server Key File	Click the [Browse...] button to specify SSL server key file. Click the [Import] button to import the SSL server key file to Web GUI. When importing has been completed, "Imported" is displayed.	SSL server key file
SSL Server Certificate File	Click the [Browse...] button to specify the SSL server certificate file. Click the [Import] button to import the SSL server certificate file to Web GUI. When importing has been completed, "Imported" is displayed.	SSL server certificate file

Item

Description

Setting values

SSL Server Key File

Click the [Browse...] button to specify SSL server key file.

Click the [Import] button to import the SSL server key file to Web GUI. When importing has been completed, "Imported" is displayed.

SSL server key file

SSL Server Certificate File

Click the [Browse...] button to specify the SSL server certificate file.

Click the [Import] button to import the SSL server certificate file to Web GUI. When importing has been completed, "Imported" is displayed.

SSL server certificate file

Operating Procedures

Click [Register SSL Certificate] in [Action].
Caution
- Either of the following items must be obtained in advance:
  - The "SSL server key" downloaded using the [Create Key/CSR] function of the storage system and the "SSL server certificate" obtained from the certification authority
  - An "SSL server certificate" that is created with a tool or website other than the storage system and is obtained from a certification authority
  If the "SSL server certificate" (including the "secret key" and the "SSL server certificate" pair) is in the PFX format, convert it to the PEM format and then register the converted files in the storage system. Refer to "How to convert and register "SSL server certificates" in the PFX format" for details.
Click the [Browse...] button to specify the path to the "SSL Server Key File".
Click the [Import] button.

→ "Imported" is displayed.
Click the [Browse...] button to specify the path to the "SSL Server Certificate File".
Click the [Import] button.

→ "Imported" is displayed.
Confirm that the "SSL Server Key File" and the "SSL Server Certificate File" have been imported, and click the [Register] button.
→ A confirmation screen appears.
Caution
- An error screen appears in the following conditions:
  - The imported file was not the "SSL Server Key File"
  - The imported file was not the "SSL Server Certificate File"
  - The imported "SSL Server Certificate File" was not the certificate which corresponds to the SSL server key
Click the [OK] button.

→ The registration of the SSL server key and SSL server certificate starts.
Click the [Done] button to return to the [Network] screen.
Note
- Access from RESTful API and Web GUI via the HTTP/HTTPS connection is not available until the certificate is applied to the storage system.
- If SMI-S is enabled, a message requesting the reboot of SMI-S appears. Refer to the [Setup SMI-S Environment] function for details.