Configuring a custom server certificate for connections to the Storage Node or the CLB service

You can replace the server certificate that is used for S3 or Swift client connections to the Storage Node or to the legacy CLB service on Gateway Node. The replacement custom server certificate is specific to your organization.

About this task

By default, every Storage Node is issued a X.509 server certificate signed by the grid CA. These CA signed certificates can be replaced by a single common custom server certificate and corresponding private key.

A single custom server certificate is used for all Storage Nodes, so you must specify the certificate as a wildcard or multi-domain certificate if clients need to verify the hostname when connecting to the storage endpoint. Define the custom certificate such that it matches all Storage Nodes in the grid.

After completing configuration on the server, users might also need to install the root CA certificate in the S3 or Swift API client they will use to access the system, depending on the root Certificate Authority (CA) you are using.

Note: To ensure that operations are not disrupted by a failed server certificate, the Storage API Service Endpoints Certificate Expiry (SCEP) alarm and the Expiration of server certificate for Storage API Endpoints alert are both triggered when this server certificate is about to expire. As required, you can view the number of days until the current service certificate expires by selecting Support > Grid Topology > primary Admin Node > CMN > Resources.

Note that these custom certificates are only used if clients connect to StorageGRID using the legacy CLB service on Gateway Nodes, or connect directly to Storage Nodes. S3 or Swift clients that connect to StorageGRID using the Load Balancer service on Admin Nodes or Gateway Nodes use the certificate configured for the load balancer endpoint.

Steps

  1. Select Configuration > Server Certificates.
  2. In the Object Storage API Service Endpoints Server Certificate section, click Install Custom Certificate.
  3. Upload the required server certificate files:
    • Server Certificate: The custom server certificate file (.crt).
    • Server Certificate Private Key: The custom server certificate private key file (.key).
    • CA Bundle: A single file containing the certificates from each intermediate issuing Certificate Authority (CA). The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.
  4. Click Save.
    The custom server certificate is used for all subsequent new API client connections.
    Note: After uploading a new certificate, allow up to one day for any related certificate expiration alarms (or alerts) to clear.
  5. Refresh the page to ensure the web browser is updated.