Configuring a custom server certificate for the Grid Manager and the Tenant Manager

You can replace the default StorageGRID server certificate with a single custom server certificate that allows users to access the Grid Manager and the Tenant Manager without encountering security warnings.

About this task

By default, every Admin Node is issued a certificate signed by the grid CA. These CA signed certificates can be replaced by a single common custom server certificate and corresponding private key.

Because a single custom server certificate is used for all Admin Nodes, you must specify the certificate as a wildcard or multi-domain certificate if clients need to verify the hostname when connecting to the Grid Manager and Tenant Manager. Define the custom certificate such that it matches all Admin Nodes in the grid.

You need to complete configuration on the server, and depending on the root Certificate Authority (CA) you are using, users might also need to install the root CA certificate in the web browser they will use to access the Grid Manager and the Tenant Manager.
Note: To ensure that operations are not disrupted by a failed server certificate, the Management Interface Certificate Expiry (MCEP) alarm and the Expiration of server certificate for Management Interface alert are both triggered when this server certificate is about to expire. As required, you can view the number of days until the current service certificate expires by selecting Support > Grid Topology > primary Admin Node > CMN > Resources.

Steps

  1. Select Configuration > Server Certificates.
  2. In the Management Interface Server Certificate section, click Install Custom Certificate.
  3. Upload the required server certificate files:
    • Server Certificate: The custom server certificate file (.crt).
    • Server Certificate Private Key: The custom server certificate private key file (.key).
    • CA Bundle: A single file containing the certificates from each intermediate issuing Certificate Authority (CA). The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.
  4. Click Save.
    The custom server certificates are used for all subsequent new client connections.
    Note: After uploading a new certificate, allow up to one day for any related certificate expiration alarms (or alerts) to clear.
  5. Refresh the page to ensure the web browser is updated.