Skip to main content
BlueXP setup and administration

Install a CA-signed certificate for web-based console access

Contributors netapp-bcammett
PDFs

When you use BlueXP in restricted mode or private mode, the user interface is accessible from the Connector virtual machine that's deployed in your cloud region or on-premises. By default, BlueXP uses a self-signed SSL certificate to provide secure HTTPS access to the web-based console running on the Connector. If required by your business, you can install a certificate signed by a certificate authority (CA), which provides better security protection than a self-signed certificate. After you install the certificate, BlueXP uses the CA-signed certificate when users access the web-based console.

Before you begin

You need to create a Connector before you can change BlueXP settings. Learn how to create a Connector.

Install an HTTPS certificate

Install a certificate signed by a CA for secure access to the web-based console running on the Connector.

About this task

You can install the certificate using one of the following options:

  • Generate a certificate signing request (CSR) from BlueXP, submit the certificate request to a CA, and then install the CA-signed certificate on the Connector.

    The key pair that BlueXP uses to generate the CSR is stored internally on the Connector. BlueXP automatically retrieves the same key pair (private key) when you install the certificate on the Connector.

  • Install a CA-signed certificate that you already have.

    With this option, the CSR is not generated through BlueXP. You generate the CSR separately and store the private key externally. You provide BlueXP with the private key when you install the certificate.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select HTTPS Setup.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. In the HTTPS Setup page, install a certificate by generating a certificate signing request (CSR) or by installing your own CA-signed certificate:

    Option Description

    Generate a CSR

    1. Enter the host name or DNS of the Connector host (its Common Name), and then select Generate CSR.

      BlueXP displays a certificate signing request.

    2. Use the CSR to submit an SSL certificate request to a CA.

      The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.

    3. Upload the certificate file and then select Install.

    Install your own CA-signed certificate

    1. Select Install CA-signed certificate.

    2. Load both the certificate file and the private key and then select Install.

      The certificate must use the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format.
Result

BlueXP now uses the CA-signed certificate to provide secure HTTPS access. The following image shows a Connector that is configured for secure access:

Screen shot: Shows the HTTPS Setup page after you install a signed certificate. The page shows the certificate properties and an option to renew the certificate.

Renew the BlueXP HTTPS certificate

You should renew the BlueXP HTTPS certificate before it expires to ensure secure access to the BlueXP console. If you don't renew the certificate before it expires, a warning appears when users access the web console using HTTPS.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select HTTPS Setup.

    Details about the BlueXP certificate displays, including the expiration date.

  2. Select Change Certificate and follow the steps to generate a CSR or install your own CA-signed certificate.

Result

BlueXP uses the new CA-signed certificate to provide secure HTTPS access.