Get started
Hardening guidelines for server certificates
Suggest changes
-
PDF of this doc site
-
Install and upgrade software
-
Install and maintain hardware
-
SG5700 storage appliances
-
SG5600 storage appliances
-
-
Configure and manage
-
Administer StorageGRID
-
-
Use StorageGRID
-
Monitor and troubleshoot
-
Monitor a StorageGRID system
-
-
Collection of separate PDF docs
Creating your file...
You should replace the default certificates created during installation with your own custom certificates.
For many organizations, the self-signed digital certificate for StorageGRID web access is not compliant with their information security policies. On production systems, you should install a CA-signed digital certificate for use in authenticating StorageGRID.
Specifically, you should use custom server certificates instead of these default certificates:
-
Management Interface Server Certificate: Used to secure access to the Grid Manager, the Tenant Manager, the Grid Management API, and the Tenant Management API.
-
Object Storage API Service Endpoints Server Certificate: Used to secure access to Storage Nodes and Gateway Nodes, which S3 and Swift client applications use to upload and download object data.
|
StorageGRID manages the certificates used for load balancer endpoints separately. To configure load balancer certificates, see the steps for configuring load balancer endpoints in the instructions for administering StorageGRID. |
When using custom server certificates, follow these guidelines:
-
Certificates should have a
subjectAltNamethat matches DNS entries for StorageGRID. For details, see section 4.2.1.6, “Subject Alternative Name,” in RFC 5280: PKIX Certificate and CRL Profile. -
When possible, avoid the use of wildcard certificates. An exception to this guideline is the certificate for an S3 virtual hosted style endpoint, which requires the use of a wildcard if bucket names are not known in advance.
-
When you must use wildcards in certificates, you should take additional steps to reduce the risks. Use a wildcard pattern such as
*.s3.example.com, and do not use thes3.example.comsuffix for other applications. This pattern also works with path-style S3 access, such asdc1-s1.s3.example.com/mybucket. -
Set the certificate expiration times to be short (for example, 2 months), and use the Grid Management API to automate certificate rotation. This especially important for wildcard certificates.
In addition, clients should use strict hostname checking when communicating with StorageGRID.