Use CA-signed certificates
You can obtain and import CA-signed certificates for secure access to the management system hosting the Storage Plugin for vCenter.
Using CA-signed certificates is a three-step procedure:
Step 1: Complete a CSR file
You must first generate a certificate signing request (CSR) file, which identifies your organization and the host system where the plugin is running. Alternatively, you can generate a CSR file using a tool such as OpenSSL and skip to Step 2: Submit CSR file.
-
Select Certificate Management.
-
From the Management tab, select Complete CSR.
-
Enter the following information, and then click Next:
-
Organization — The full, legal name of your company or organization. Include suffixes, such as Inc. or Corp.
-
Organizational unit (optional) — The division of your organization that is handling the certificate.
-
City/Locality — The city where your host system or business is located.
-
State/Region (optional) — The state or region where your host system or business is located.
-
Country ISO code — Your country's two-digit ISO (International Organization for Standardization) code, such as US.
-
-
Enter the following information about the host system where the plugin is running:
-
Common name — The IP address or DNS name of the host system where the plugin is running. Make sure this address is correct; it must match exactly what you enter to access the plugin in the browser. Do not include http:// or https://. The DNS name cannot begin with a wildcard.
-
Alternate IP addresses — If the common name is an IP address, you can optionally enter any additional IP addresses or aliases for the host system. For multiple entries, use a comma-delimited format.
-
Alternate DNS names — If the common name is a DNS name, enter any additional DNS names for the host system. For multiple entries, use a comma-delimited format. If there are no alternate DNS names, but you entered a DNS name in the first field, copy that name here. The DNS name cannot begin with a wildcard.
-
-
Make sure that the host information is correct. If it is not, the certificates returned from the CA will fail when you try to import them.
-
Click Finish.
Step 2: Submit CSR file
After you create a certificate signing request (CSR) file, you send the generated CSR file to a CA to receive signed, management certificates for the system hosting the plugin.
E-Series systems require PEM format (Base64 ASCII encoding) for signed certificates, which includes the following file types: .pem, .crt, .cer, or .key.
-
Locate the downloaded CSR file.
The folder location of the download depends on your browser.
-
Submit the CSR file to a CA (for example, Verisign or DigiCert), and request signed certificates in PEM format.
After you submit a CSR file to the CA, do NOT regenerate another CSR file. |
Whenever you generate a CSR, the system creates a private and public key pair. The public key is part of the CSR, while the private key is kept in the system's keystore. When you receive the signed certificates and import them, the system ensures that both the private and public keys are the original pair. If the keys do not match, the signed certificates will not work and you must request new certificates from the CA.
Step 3: Import management certificates
After you receive signed certificates from the Certificate Authority (CA), import the certificates into the host system where the plugin is installed.
-
You must have the signed certificates from the CA. These files include the root certificate, one or more intermediate certificates, and the server certificate.
-
If the CA provided a chained certificate file (for example, a .p7b file), you must unpack the chained file into individual files: the root certificate, one or more intermediate certificates, and the server certificate. You can use the Windows certmgr utility to unpack the files (right-click and select
). Base-64 encoding is recommended. When the exports are complete, a CER file is shown for each certificate file in the chain. -
You must copy the certificate files to the host system where the plugin is running.
-
Select Certificate Management.
-
From the Management tab, select Import.
A dialog box opens for importing the certificate files.
-
Click Browse to first select the root and intermediate certificate files, and then select the server certificate. If you generated the CSR from an external tool, you must also import the private key file that was created along with the CSR.
The filenames are displayed in the dialog box.
-
Click Import.
The files are uploaded and validated. The certificate information displays on the Certificate Management page.