Configure S3 and Swift API certificates

Contributors netapp-perveilerk netapp-madkat netapp-lhalbert

You can replace or restore the server certificate that is used for S3 or Swift client connections to Storage Nodes, the deprecated Connection Load Balancer (CLB) service on Gateway Nodes, or to load balancer endpoints. The replacement custom server certificate is specific to your organization.

About this task

By default, every Storage Node is issued a X.509 server certificate signed by the grid CA. These CA signed certificates can be replaced by a single common custom server certificate and corresponding private key.

A single custom server certificate is used for all Storage Nodes, so you must specify the certificate as a wildcard or multi-domain certificate if clients need to verify the hostname when connecting to the storage endpoint. Define the custom certificate such that it matches all Storage Nodes in the grid.

After completing configuration on the server, you might also need to install the Grid CA certificate in the S3 or Swift API client you will use to access the system, depending on the root certificate authority (CA) you are using.

Note To ensure that operations are not disrupted by a failed server certificate, the Expiration of global server certificate for S3 and Swift API alert is triggered when the root server certificate is about to expire. As required, you can view when the current certificate expires by selecting CONFIGURATION > Security > Certificates and looking at the Expiration date for the S3 and Swift API certificate on the Global tab.

You can upload or generate a custom S3 and Swift API certificate.

Add a custom S3 and Swift API certificate

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select S3 and Swift API certificate.

  3. Select Use custom certificate.

  4. Upload or generate the certificate.

    Upload certificate

    Upload the required server certificate files.

    1. Select Upload certificate.

    2. Upload the required server certificate files:

      • Server certificate: The custom server certificate file (PEM encoded).

      • Certificate private key: The custom server certificate private key file (.key).

        Note EC private keys must be 224 bits or larger. RSA private keys must be 2048 bits or larger.
      • CA bundle: A single optional file containing the certificates from each intermediate issuing certificate authority. The file should contain each of the PEM-encoded CA certificate files, concatenated in certificate chain order.

    3. Select the certificate details to display the metadata and PEM for each custom S3 and Swift API certificate that was uploaded. If you uploaded an optional CA bundle, each certificate displays on its own tab.

      • Select Download certificate to save the certificate file or select Download CA bundle to save the certificate bundle.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM or Copy CA bundle PEM to copy the certificate contents for pasting elsewhere.

    4. Select Save.

      The custom server certificate is used for subsequent new S3 and Swift client connections.

    Generate certificate

    Generate the server certificate files.

    1. Select Generate certificate.

    2. Specify the certificate information:

      • Domain name: One or more fully qualified domain names to include in the certificate. Use an * as a wildcard to represent multiple domain names.

      • IP: One or more IP addresses to include in the certificate.

      • Subject: X.509 subject or distinguished name (DN) of the certificate owner.

      • Days valid: Number of days after creation that the certificate expires.

    3. Select Generate.

    4. Select Certificate Details to display the metadata and PEM for the custom S3 and Swift API certificate that was generated.

      • Select Download certificate to save the certificate file.

        Specify the certificate file name and download location. Save the file with the extension .pem.

        For example: storagegrid_certificate.pem

      • Select Copy certificate PEM to copy the certificate contents for pasting elsewhere.

    5. Select Save.

      The custom server certificate is used for subsequent new S3 and Swift client connections.

  5. Select a tab to display metadata for the default StorageGRID server certificate, a CA signed certificate that was uploaded, or a custom certificate that was generated.

    Note After uploading or generating a new certificate, allow up to one day for any related certificate expiration alerts to clear.
  6. Refresh the page to ensure the web browser is updated.

  7. After you add a custom S3 and Swift API certificate the S3 and Swift API certificate page displays detailed certificate information for the custom S3 and Swift API certificate that is in use.
    You can download or copy the certificate PEM as required.

Restore the default S3 and Swift API certificate

You can revert to using the default S3 and Swift API certificate for S3 and Swift client connections to Storage Nodes and to the deprecated CLB service on Gateway Nodes. However, you cannot use the default S3 and Swift API certificate for a load balancer endpoint.

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select S3 and Swift API certificate.

  3. Select Use default certificate.

    When you restore the default version of the global S3 and Swift API certificate, the custom server certificate files you configured are deleted and cannot be recovered from the system. The default S3 and Swift API certificate will be used for subsequent new S3 and Swift client connections to Storage Nodes and to the deprecated CLB service on Gateway Nodes.

  4. Select OK to confirm the warning and restore the default S3 and Swift API certificate.

    If you have Root access permission and the custom S3 and Swift API certificate was used for load balancer endpoint connections, a list is displayed of load balancer endpoints that will no longer be accessible using the default S3 and Swift API certificate. Go to Configure load balancer endpoints to edit or remove the affected endpoints.

  5. Refresh the page to ensure the web browser is updated.

Download or copy the S3 and Swift API certificate

You can save or copy the S3 and Swift API certificate contents for use elsewhere.

Steps
  1. Select CONFIGURATION > Security > Certificates.

  2. On the Global tab, select S3 and Swift API certificate.

  3. Select the Server or CA bundle tab and then download or copy the certificate.

    Download certificate file or CA bundle

    Download the certificate or CA bundle .pem file. If you are using an optional CA bundle, each certificate in the bundle displays on its own sub-tab.

    1. Select Download certificate or Download CA bundle.

      If you are downloading a CA bundle, all the certificates in the CA bundle secondary tabs download as a single file.

    2. Specify the certificate file name and download location. Save the file with the extension .pem.

      For example: storagegrid_certificate.pem

    Copy certificate or CA bundle PEM

    Copy the certificate text to paste elsewhere. If you are using an optional CA bundle, each certificate in the bundle displays on its own sub-tab.

    1. Select Copy certificate PEM or Copy CA bundle PEM.

      If you are copying a CA bundle, all the certificates in the CA bundle secondary tabs copy together.

    2. Paste the copied certificate into a text editor.

    3. Save the text file with the extension .pem.

      For example: storagegrid_certificate.pem