Generating a self-signed server certificate for the management interface

You can use a script to generate a self-signed server certificate for management API clients that require strict hostname validation.

Before you begin

About this task

In production environments, you should use a certificate that is signed by a known Certificate Authority (CA). Certificates signed by a CA can be rotated non-disruptively. They are also more secure because they provide better protection against man-in-the-middle attacks.

Procedure

  1. Obtain the fully qualified domain name (FQDN) of each Admin Node.
  2. Log in to the primary Admin Node:
    1. Enter the following command: ssh admin@primary_Admin_Node_IP
    2. Enter the password listed in the Passwords.txt file.
    3. Enter the following command to switch to root: su -
    4. Enter the password listed in the Passwords.txt file.
      When you are logged in as root, the prompt changes from $ to #.
  3. Configure StorageGRID with a new self-signed certificate. $ sudo make-certificate --domains wildcard-admin-node-fqdn --type management
    • For --domains, use wildcards to represent the fully qualified domain names of all Admin Nodes. For example, *.ui.storagegrid.example.com uses the * wildcard to represent admin1.ui.storagegrid.example.com and admin2.ui.storagegrid.example.com.
    • Set --type to management to configure the certificate used by Grid Manager and Tenant Manager.
    • By default, generated certificates are valid for one year (365 days) and must be recreated before they expire. You can use the --days argument to override the default validity period.
      Note: A certificate's validity period begins when make-certificate is run. You must ensure the management API client is synchronized to the same time source as StorageGRID; otherwise, the client might reject the certificate.
    $ sudo make-certificate --domains *.ui.storagegrid.example.com --type management --days 365
    The resulting output contains the public certificate needed by your management API client.
  4. Select and copy the certificate.
    Include the BEGIN and the END tags in your selection.
  5. Log out of the command shell. $ exit
  6. Confirm the certificate was configured:
    1. Access the Grid Manager.
    2. Select Configuration > Server Certificates > Management Interface Server Certificate.
  7. Configure your management API client to use the public certificate you copied. Include the BEGIN and END tags.