Configure client certificates

Contributors netapp-perveilerk netapp-madkat

Client certificates allow authorized external clients to access the StorageGRID Prometheus database, providing a secure way for external tools to monitor StorageGRID.

If you need to access StorageGRID using an external monitoring tool, you must upload or generate a client certificate using the Grid Manager and copy the certificate information to the external tool.

Note To ensure that operations are not disrupted by a failed server certificate, the Expiration of client certificates configured on the Certificates page alert is triggered when this server certificate is about to expire. As required, you can view when the current certificate expires by selecting CONFIGURATION > Security > Certificates and looking at the Expiration date for the client certificate on the Client tab.
Note If you are using a key management server (KMS) to protect the data on specially configured appliance nodes, see the specific information about uploading a KMS client certificate.
What you’ll need
  • You have Root access permission.

  • You are signed in to the Grid Manager using a supported web browser.

  • To configure a client certificate:

    • You have the IP address or domain name of the Admin Node.

    • If you have configured the StorageGRID management interface certificate, you have the CA, client certificate, and private key used to configure the management interface certificate.

    • To upload your own certificate, the private key for the certificate is available on your local computer.

    • The private key must have been saved or recorded at the time it was created. If you do not have the original private key, you must create a new one.

  • To edit a client certificate:

    • You have the IP address or domain name of the Admin Node.

    • To upload your own certificate or a new certificate, the private key, client certificate, and CA (if used) are available on your local computer.

Add client certificates

Follow the procedure for your scenario to add a client certificate:

Management interface certificate already configured

Use this procedure to add a client certificate if a management interface certificate is already configured using a customer-supplied CA, client certificate, and private key.

Steps
  1. In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.

  2. Select Add.

  3. Enter a certificate name that contains at least 1 and no more than 32 characters.

  4. To access Prometheus metrics using your external monitoring tool, select Allow Prometheus.

  5. In the Certificate type section, upload the management interface certificate .pem file.

    1. Select Upload certificate and then select Continue.

    2. Upload the management interface certificate file (.pem).

      • Select Client certificate details to display the certificate metadata and certificate PEM.

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    3. Select Create to save the certificate in the Grid Manager.

      The new certificate appears on the Client tab.

  6. Configure the following settings on your external monitoring tool, such as Grafana.

    1. Name: Enter a name for the connection.

      StorageGRID does not require this information, but you must provide a name to test the connection.

    2. URL: Enter the domain name or IP address for the Admin Node. Specify HTTPS and port 9091.

      For example: https://admin-node.example.com:9091

    3. Enable TLS Client Auth and With CA Cert.

    4. Under TLS/SSL Auth Details, copy and paste:

      • The management interface CA certificate to CA Cert

      • The client certificate to Client Cert

      • The private key to Client Key

    5. ServerName: Enter the domain name of the Admin Node.

      ServerName must match the domain name as it appears in the management interface certificate.

    6. Save and test the certificate and private key that you copied from StorageGRID or a local file.

      You can now access the Prometheus metrics from StorageGRID with your external monitoring tool.

      For information about the metrics, see the instructions for monitoring StorageGRID.

CA issued client certificate

Use this procedure to add an administrator client certificate if a management interface certificate was not configured and you plan to add a client certificate for Prometheus that uses a CA issued client certificate and private key.

Steps
  1. Perform the steps to configure a management interface certificate.

  2. In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.

  3. Select Add.

  4. Enter a certificate name that contains at least 1 and no more than 32 characters.

  5. To access Prometheus metrics using your external monitoring tool, select Allow Prometheus.

  6. In the Certificate type section, upload the client certificate, private key and CA bundle .pem files:

    1. Select Upload certificate and then select Continue.

    2. Upload client certificate, private key and CA bundle files (.pem).

      • Select Client certificate details to display the certificate metadata and certificate PEM.

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    3. Select Create to save the certificate in the Grid Manager.

      The new certificates appear on the Client tab.

  7. Configure the following settings on your external monitoring tool, such as Grafana.

    1. Name: Enter a name for the connection.

      StorageGRID does not require this information, but you must provide a name to test the connection.

    2. URL: Enter the domain name or IP address for the Admin Node. Specify HTTPS and port 9091.

      For example: https://admin-node.example.com:9091

    3. Enable TLS Client Auth and With CA Cert.

    4. Under TLS/SSL Auth Details, copy and paste:

      • The management interface CA certificate to CA Cert

      • The client certificate to Client Cert

      • The private key to Client Key

    5. ServerName: Enter the domain name of the Admin Node.

      ServerName must match the domain name as it appears in the management interface certificate.

    6. Save and test the certificate and private key that you copied from StorageGRID or a local file.

      You can now access the Prometheus metrics from StorageGRID with your external monitoring tool.

      For information about the metrics, see the instructions for monitoring StorageGRID.

Generated certificate from Grid Manager

Use this procedure to add an administrator client certificate if a management interface certificate was not configured and you plan to add a client certificate for Prometheus that uses the generate certificate function in Grid Manager.

Steps
  1. In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Client tab.

  2. Select Add.

  3. Enter a certificate name that contains at least 1 and no more than 32 characters.

  4. To access Prometheus metrics using your external monitoring tool, select Allow Prometheus.

  5. In the Certificate type section, select Generate certificate.

  6. Specify the certificate information:

    • Domain name: One or more fully qualified domain names of the admin node to include in the certificate. Use an * as a wildcard to represent multiple domain names.

    • IP: One or more admin node IP addresses to include in the certificate.

    • Subject: X.509 subject or distinguished name (DN) of the certificate owner.

  7. Select Generate.

  8. Select Client certificate details to display the certificate metadata and certificate PEM.

    Important You will not be able to view the certificate private key after you close the dialog. Copy or download the key to a safe location.
    • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    • Select Download certificate to save the certificate file.

      Specify the certificate file name and download location. Save the file with the extension .pem.

      For example: storagegrid_certificate.pem

    • Select Copy private key to copy the certificate private key for pasting elsewhere.

    • Select Download private key to save the private key as a file.

      Specify the private key file name and download location.

  9. Select Create to save the certificate in the Grid Manager.

    The new certificate appears on the Client tab.

  10. In the Grid Manager, select CONFIGURATION > Security > Certificates and then select the Global tab.

  11. Select Management Interface certificate.

  12. Select Use custom certificate.

  13. Upload the certificate.pem and private_key.pem files from the client certificate details step. There is no need to upload CA bundle.

    1. Select Upload certificate and then select Continue.

    2. Upload each certificate file (.pem).

    3. Select Create to save the certificate in the Grid Manager.

      The new certificate appears on the Client tab.

  14. Configure the following settings on your external monitoring tool, such as Grafana.

    1. Name: Enter a name for the connection.

      StorageGRID does not require this information, but you must provide a name to test the connection.

    2. URL: Enter the domain name or IP address for the Admin Node. Specify HTTPS and port 9091.

      For example: https://admin-node.example.com:9091

    3. Enable TLS Client Auth and With CA Cert.

    4. Under TLS/SSL Auth Details, copy and paste:

      • The management interface client certificate to both CA Cert and Client Cert

      • The private key to Client Key

    5. ServerName: Enter the domain name of the Admin Node.

      ServerName must match the domain name as it appears in the management interface certificate.

    6. Save and test the certificate and private key that you copied from StorageGRID or a local file.

      You can now access the Prometheus metrics from StorageGRID with your external monitoring tool.

      For information about the metrics, see the instructions for monitoring StorageGRID.

Edit client certificates

You can edit an administrator client certificate to change its name, enable or disable Prometheus access, or upload a new certificate when the current one has expired.

Steps
  1. Select CONFIGURATION > Security > Certificates and then select the Client tab.

    Certificate expiration dates and Prometheus access permissions are listed in the table. If a certificate will expire soon or is already expired, a message appears in the table and an alert is triggered.

  2. Select the certificate you want to edit.

  3. Select Edit and then select Edit name and permission

  4. Enter a certificate name that contains at least 1 and no more than 32 characters.

  5. To access Prometheus metrics using your external monitoring tool, select Allow Prometheus.

  6. Select Continue to save the certificate in the Grid Manager.

    The updated certificate displays on the Client tab.

Attach new client certificate

You can upload a new certificate when the current one has expired.

Steps
  1. Select CONFIGURATION > Security > Certificates and then select the Client tab.

    Certificate expiration dates and Prometheus access permissions are listed in the table. If a certificate will expire soon or is already expired, a message appears in the table and an alert is triggered.

  2. Select the certificate you want to edit.

  3. Select Edit and then select an edit option.

    Upload certificate

    Copy the certificate text to paste elsewhere.

    1. Select Upload certificate and then select Continue.

    2. Upload the client certificate name (.pem).

      Select Client certificate details to display the certificate metadata and certificate PEM.

      • Select Download certificate to save the certificate file.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    3. Select Create to save the certificate in the Grid Manager.

      The updated certificate displays on the Client tab.

    Generate certificate

    Generate the certificate text to paste elsewhere.

    1. Select Generate certificate.

    2. Specify the certificate information:

      • Domain name: One or more fully qualified domain names to include in the certificate. Use an * as a wildcard to represent multiple domain names.

      • IP: One or more IP addresses to include in the certificate.

      • Subject: X.509 subject or distinguished name (DN) of the certificate owner.

      • Days valid: Number of days after creation that the certificate expires.

    3. Select Generate.

    4. Select Client certificate details to display the certificate metadata and certificate PEM.

      Important You will not be able to view the certificate private key after you close the dialog. Copy or download the key to a safe location.
      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

      • Select Download certificate to save the certificate file.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy private key to copy the certificate private key for pasting elsewhere.

      • Select Download private key to save the private key as a file.

        Specify the private key file name and download location.

    5. Select Create to save the certificate in the Grid Manager.

      The new certificate appears on the Client tab.

Download or copy client certificates

You can download or copy a client certificate for use elsewhere.

Steps
  1. Select CONFIGURATION > Security > Certificates and then select the Client tab.

  2. Select the certificate you want to copy or download.

  3. Download or copy the certificate.

    Download certificate file

    Download the certificate .pem file.

    1. Select Download certificate.

    2. Specify the certificate file name and download location. Save the file with the extension .pem.

      For example: storagegrid_certificate.pem

    Copy certificate

    Copy the certificate text to paste elsewhere.

    1. Select Copy certificate PEM.

    2. Paste the copied certificate into a text editor.

    3. Save the text file with the extension .pem.

      For example: storagegrid_certificate.pem

Remove client certificates

If you no longer need an administrator client certificate, you can remove it.

Steps
  1. Select CONFIGURATION > Security > Certificates and then select the Client tab.

  2. Select the certificate you want to remove.

  3. Select Delete and then confirm.

Note To remove up to 10 certificates, select each certificate to remove on the Client tab and then select Actions > Delete.

After a certificate is removed, clients that used the certificate must specify a new client certificate to access the StorageGRID Prometheus database.