Configuring a custom server certificate for the Grid Manager and the Tenant Manager

You can replace the default StorageGRID server certificate with a single custom server certificate that allows users to access the Grid Manager and the Tenant Manager without encountering security warnings.

About this task

By default, every Admin Node is issued a certificate signed by the grid CA. These CA signed certificates can be replaced by a single common custom server certificate and corresponding private key.

Because a single custom server certificate is used for all Admin Nodes, you must specify the certificate as a wildcard or multi-domain certificate if clients need to verify the hostname when connecting to the Grid Manager and Tenant Manager. Define the custom certificate such that it matches all Admin Nodes in the grid.

You need to complete configuration on the server, and depending on the root Certificate Authority (CA) you are using, users might also need to install the root CA certificate in the web browser they will use to access the Grid Manager and the Tenant Manager.
Note: To ensure that operations are not disrupted by a failed server certificate, the Expiration of server certificate for Management Interface alert and the legacy Management Interface Certificate Expiry (MCEP) alarm are both triggered when this server certificate is about to expire. As required, you can view the number of days until the current service certificate expires by selecting Support > Grid Topology > primary Admin Node > CMN > Resources.
Note:
If you are accessing the Grid Manager or Tenant Manager using a domain name instead of an IP address, the browser shows a certificate error without an option to bypass if either of the following occurs:
  • Your custom management interface server certificate expires.
  • You revert from a custom management interface server certificate to the default server certificate.

Procedure

  1. Select Configuration > Server Certificates.
  2. In the Management Interface Server Certificate section, click Install Custom Certificate.
  3. Upload the required server certificate files:
    • Server Certificate: The custom server certificate file (.crt).
    • Server Certificate Private Key: The custom server certificate private key file (.key).
      Note: EC private keys must be 224 bits or larger. RSA private keys must be 2048 bits or larger.
    • CA Bundle: A single file containing the certificates from each intermediate issuing Certificate Authority (CA). The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.
  4. Click Save.
    The custom server certificates are used for all subsequent new client connections.
    Note: After uploading a new certificate, allow up to one day for any related certificate expiration alerts (or legacy alarms) to clear.
  5. Refresh the page to ensure the web browser is updated.