Skip to main content
SnapCenter Software 5.0

Configure root or intermediate certificates to SPL trust-store

Contributors netapp-nsriram
PDFs

You should configure the root or intermediate certificates to SPL trust-store. You should add the root CA certificate and then the intermediate CA certificates.

Steps

  1. Navigate to the folder containing the SPL keystore: /var/opt/snapcenter/spl/etc.

  2. Locate the file keystore.jks.

  3. List the added certificates in the keystore: $ keytool -list -v -keystore keystore.jks

  4. Add a root or intermediate certificate: $ keytool -import -trustcacerts -alias <AliasNameForCerticateToBeImported> -file /<CertificatePath> -keystore keystore.jks

  5. Restart the service after configuring the root or intermediate certificates to SPL trust-store.

Configure CA signed key pair to SPL trust-store

You should configure the CA signed key pair to SPL trust-store.

Steps

  1. Navigate to the folder containing the SPL’s keystore /var/opt/snapcenter/spl/etc.

  2. Locate the file keystore.jks`.

  3. List the added certificates in the keystore: $ keytool -list -v -keystore keystore.jks

  4. Add the CA certificate having both private and public key. $ keytool -importkeystore -srckeystore <CertificatePathToImport> -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

  5. List the added certificates in the keystore. $ keytool -list -v -keystore keystore.jks

  6. Verify that the keystore contains the alias corresponding to the new CA certificate, which was added to the keystore.

  7. Change the added private key password for CA certificate to the keystore password.

    Default SPL keystore password is the value of the key SPL_KEYSTORE_PASS in spl.properties file.

    $ keytool -keypasswd -alias "<aliasNameOfAddedCertInKeystore>" -keystore keystore.jks`

  8. If the alias name in the CA certificate is long and contains space or special characters ("*",","), change the alias name to a simple name: $ keytool -changealias -alias "<OrignalAliasName>" -destalias "<NewAliasName>" -keystore keystore.jks`

  9. Configure the alias name from the keystore located in spl.properties file. Update this value against the key SPL_CERTIFICATE_ALIAS.

  10. Restart the service after configuring the CA signed key pair to SPL trust-store.