Update SSL Certificates Using Cohesity CA or Customer CA certificate

21 October 2025

Cohesity software packages ship with an auto-generated self-signed certificate. You must accept the self-signed certificate to access the Cohesity clusters. This topic describes two scenarios for updating the cluster certificate from the Cohesity cluster (User Interface):

  • Load a Certificate Authority (CA) signed certificate.

  • Refresh the factory shipped (Cohesity signed) certificate if it expires.

Important Notes on SSL Certificates

  • Cohesity does not recommend using self-signed certificates.

  • Cohesity cluster supports X.509 certificates in PEM format only.

  • The certificate must have the "Common Name" field set to the server's hostname (for example, a VIP's DNS name). The Common Name must be the same as the name you plan to use to access the Cohesity cluster.

  • Private Key Files must not be encrypted.

  • If the certificate admin provides a single file, ensure to separate the file to obtain the certificate and key files.

  • By default, OCSP validation is disabled. Contact your Cohesity account team to enable the feature.

  • Cohesity does not support ECDSA certificates.

Examples

-----BEGIN CERTIFICATE-----
JHFDRTCCAi2gAwIBAgIRAMnovKoL9P3hveY2r9Y8wXIwDQYJKoZIhvcNAQELBQAw
NTEVMBMGA1UEChMMQ29oZXNpdHkgSW5jMRwwGgYDVQQDExNDb2hlc2l0eSBJbmMg
U2VydmVyMB4XDTE4MTIwMzE2MzM0MFoXDTE5MTIwMzE2MzM0MFowNTEVMBMGA1UE
ChMMQ29oZXNpdHkgSW5jMRwwGgYDVQQDExNDb2hlc2l0eSBJbmMgU2VydmVyMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvrE4iQ4BROiVytcMvaBXu2Nm
vBpjjrVdolQ83pdufZhD4vnL22Dnu0U2EWx0YrdaiQX3c8iEC2u951PInFs0NXAW
Y+KGqtRrg17aEJyHVqqEy5NZ0mxPMpmDUs0kNUzjpj6jX521PytjVx3y+/qchuu1
GM+qDWrpLO2s6O5lnkE1sxkR/MK14f4mXUYCmywaevQEr0/0lIjyqDmqEZg1+NQn
XBUgRw5c9Zvod/chpyZQN/seuM7oXRRcgfnEtd8Fm1ztCDy3Ui3eZs1X2d31D4y4
zzBBNdawEv25yTAOcHMvBeLLWwtKnm0RFLDF3SxEByKyKhziT1imOJYv2RaTpQID
AQABo1AwTjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYD
VR0TAQH/BAIwADAZBgNVHREEEjAQgg4qLnJ0cHNyZS5sb2NhbDANBgkqhkiG9w0B
AQsFAAOCAQEAMqZ8rYzDXoZErRSL/xXhqcMwM+/Mm7TYymrF2ieYIpSWVhi0NRzf
2VlPvlHA+iNkScbV9lB+0hWblz5khK3nTbXmjnL65DgpJrms91LkQbGAh8Tp4ILf
fLdE9/j01uXs5uv1gZxss/lw+a3NW/4jQHtMcuWdYtJqcuGBJxktWGnjcsJWe9Hq
GrLlsuIYsHHPuqNin2HvxdqHCZbk2wumAmv47WGC/rzoCQ/83Sp74GuyK3W1z76x
fkpI9dVKUaox8L81NV8cyneWQe81ma9uoROJuBs6Wj/1qb5seVrbEooC87xtN8ns
EJ8A22yecDHtEJZVfowllVENqqa6mJLl1A==
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
JHFEpQIBAAKCAQEAvrE4iQ4BROiVytcMvaBXu2NmvBpjjrVdolQ83pdufZhD4vnL
22Dnu0U2EWx0YrdaiQX3c8iEC2u951PInFs0NXAWY+KGqtRrg17aEJyHVqqEy5NZ
0mxPMpmDUs0kNUzjpj6jX521PytjVx3y+/qchuu1GM+qDWrpLO2s6O5lnkE1sxkR
/MK14f4mXUYCmywaevQEr0/0lIjyqDmqEZg1+NQnXBUgRw5c9Zvod/chpyZQN/se
uM7oXRRcgfnEtd8Fm1ztCDy3Ui3eZs1X2d31D4y4zzBBNdawEv25yTAOcHMvBeLL
WwtKnm0RFLDF3SxEByKyKhziT1imOJYv2RaTpQIDAQABAoIBAQCsL8g18WByAXZo
jyBhBazSduIoTcfB78CZuGiyMZjCbcA27ooGEI2OiuNUflLlZFyqx6l2cgPRcDss
63mEvdH5wrlk/gHNtTtTh01unHiUaCq6y9XabJRiwz1SggwE2OXikkLhLr2fSaVM
360tnFDEf4ep3LHXpcbhG8f7GHDHoNZrs0ZyVXqbafsQ15CY0qukekOUWF4i/MSF
xCRmTTgn3X09gQ1uCrSqT27s6G1NBt5rqeOIS+KjSJfPwdeij9h/fnzazv/NRuIt
/fA1E/x+/fmxaWn/XyLvZbtpAa/WzRyknDs7DWBCA5PYNIzBHIFbW/SPviOlhBSU
QPVnQHMtAoGBAPjmlYPrL5BHSfPXAQlIk7UIZNC8dWmtHZWXKhEHLffhjKBQemTU
8ERBD0LX9Cj/XpIjCgYNPR6SzSP40UY4GSZiVx/g5rRiXXanuZvY1Va8y1ZvbIi+
dO3ctmzIstM41IBjDWEXJu9yhAgTcpNp2B8Q+Xx17X4MMRvxTBrFi1T/AoGBAMQh
nK8gFr+gu1eDObupk75qXKzIyJQ1KrEfeOjMHRCL4BwN+mbv1cM8f32WHdOE3URL
Num0ztq65NjaB68Z0qV6TnSDNT5hFDNPuaczQOArYwA4PMPGgzgN7mpKQ7NQTv7H
5SQMcEv2xBrMdJEEuGONAMrRdv522fUIwBWRj6NbAoGAbkNwTx2cV5VNTKmd+ufd
D6DlUJd8iFE5vvBVoW+FzL9t1gNxBURUIFiWEy2qK5Nd6O1+3kl1Hxs3p8ztoObv
NVLxd9zhN14wO4V4M3Nup1tB1UvNUBLXqBxT8INEvU/6y9mVrsJb7E3V8eHzqxyD
steJPrrbeDCcfN17sox6+i8CgYEAjjrpyz30AUdoVFA/f8277KxpRIvemUvtB8GR
BxFuSl+FSBMC8b8fP5QRyFsiig+h/jKlQdny4EAEURXb2KlbTtFhL7Eu3Wu9IHDC
a3QJqgcMpk4iEr9UzUOdD8uHSPQGNVF05C15Cj2LfPuj1L6dkOPiHTLFnkdGTCHq
WjnS9l0CgYEAzbutugqBCIXxflR27uWg7mb74qhEPEM0SgNN+hMLFVBg1d8/7xtI
KS4XmRqB0JQP4/wicWNYCSiEBk+2tPwUr+7Jed/Oiz/U2TJXWdq/j+yqE1oZHeOU
B4csWtfc7rD1N2RfQax1iojN87He8nIL/YrT6jNFeRMW0awLHMYDQHI=
-----END RSA PRIVATE KEY-----

Configuring Cohesity Cluster with a CA Signed Certificate

A Certificate Authority (CA) signed certificate is a digital certificate issued by a trusted organization called Certificate Authority. It authenticates the identity of the entity (certificate holder) before digitally signing the certificate, thereby assuring users that they are interacting with a legitimate and secure entity.

You can replace the Cohesity cluster's self-signed certificate with a Certificate Authority (CA) signed certificate. Optionally you can use the Subject Alternative Name (SAN) field to specify additional host names (such as sites, IP addresses, and common names) to be protected by a single SSL certificate, such as a Multi-Domain or Extend Validation Multi-Domain Certificate.

This procedure applies to configuring the Cohesity cluster using SHA256 and SHA384 cryptographic hash algorithms. When configuring, update the default_md parameter in step 3 accordingly. To configure a Cohesity cluster with a CA certificate using SHA256 or SHA384:

  1. Copy the following template to a text editor, replace the sample values in red color with actual values, and save the file in your local directory.
    #REQ FILE: cert_req.conf
#---------------------------
[ req ]
default_bits    = 2048
default_md      = sha384 (or sha256)
prompt          = no
encrypt_key     = no
distinguished_name = req_distinguished_name
req_extensions     = req_ext
	 
[ req_distinguished_name ]
countryName         = "US"
stateOrProvinceName = "CA"
localityName        = "San Jose"
organizationName    = "Data Protection" 
    organizationalUnitName = "example Organization Name"
commonName          = "cluster1.example-domain.com"

    [ req_ext ]
subjectAltName = @alt_names            

    [alt_names]
DNS.1 = cluster1.example-domain.com
DNS.2 = cluster1-vip.example-domain.com
IP.1 = 10.1.1.1
IP.2 = 10.1.1.3
IP.3 = 10.1.1.5
#---------------------------

  2. Run the following command to the SCP file saved in the local directory to support user:

    scp "/path_to_file/filename" user@ip_address:"/Path to destination/"

    Example

    scp cert_req.conf support@111.1.1.1:/var/tmp/

  3. Get the IP address for any Cohesity Cluster node (You can get the list of IP addresses by selecting Settings > Summary and then opening the Nodes tab). Use the IP address to log into that node as the support user.

    Command

    ssh support@<node IP address>

    Example

    ssh support@111.1.1.1

    When prompted, enter the password of the support user account.

    [support@111.1.1.1's password:

    Once your password is successfully authenticated, the prompt changes to the Secure Shell prompt.

    [support@restricted-8888222f444 ~]\>

  4. Generate the private key and certificate signing request files using cert_req.conf file:

    openssl req -out cert_req.csr -newkey rsa:2048 -nodes -keyout cert_key.key -config <path to file>/cert_req.conf

    Example

    openssl req -out cert_req.csr -newkey rsa:2048 -nodes -keyout cert_key.key -config /var/tmp/cert_req.conf

    Private key must not be encrypted.

  5. Convert the cert_key.key to a PEM private key using the following command:

    openssl rsa -in cert_key.key -out /var/tmp/key.pem

  6. Make sure all users (owners, groups, others) have read permissions for the private key (key.pem) file:

    To check the current permissions settings, run the following command:

    ls -ltr <key.pem>

    Run the following command to set the required permissions for all users:

    chmod 600 <key.pem>

    Sample Output:

    [support@restricted-a121 ~]\> chmod 600 key.pem
    [support@restricted-a121 ~]\> ls -ltr key.pem
    -rw------. 1 support support 1704 Jun 13 08:23 key.pem

  7. Run the following command to verify that the CSR file includes the Subject Alternative Name.

    openssl req -text -noout -verify -in cert_req.csr
    verify OK
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=XX, ST=PROVINCE, L=CITY, O=EXAMPLE, CN=HOST-A.EXAMPLE.COM
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
	00:e0:76:f7:7d:d7:42:b2:46:35:6d:67:a6:f0:10:
	b6:36:54:44:1f:04:60:23:91:7c:4e:0e:c4:34:e8:
	b8:a0:6e:1e:3a:09:cf:3e:26:c8:22:06:2a:f8:6a:
	22:fb:c0:9d:cd:03:ab:6a:5d:7e:34:4a:69:db:fb:
	07:55:b5:c1:df:a1:e4:2a:c2:7e:e4:cc:5f:28:04:
	fe:79:1c:c8:0f:e3:a4:fa:f6:b2:7a:89:6f:84:9a:
	c5:e9:9e:d9:8b:6a:3f:39:ed:7a:d2:40:c4:85:ed:
	ec:45:95:a9:d1:bf:51:3e:ed:f7:2b:fa:36:ed:77:
	19:fd:84:ba:24:33:92:87:1e:4d:18:11:61:ad:de:
	88:7a:77:e9:f8:9b:99:4e:9f:a1:52:4a:77:20:a7:
	70:0d:7d:89:8b:e5:d1:f9:f3:b0:0a:f4:d9:dc:12:
	87:57:8d:84:0b:34:bc:4b:93:30:9a:4f:e8:4e:3b:
	3c:44:95:e8:bb:63:90:b4:e3:a9:d3:d8:46:49:02:
	98:f1:63:88:23:9d:bb:36:02:2a:0b:7c:3e:18:cb:
	84:bb:8d:59:5e:da:87:31:ab:01:e6:61:29:fe:51:
	9c:9c:62:17:8b:e8:9c:53:09:75:03:68:7c:e9:94:
	86:7c:61:8b:c2:53:63:97:5e:78:c9:93:c3:d8:15:
	8d:f3
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:HOST-A.EXAMPLE.COM, DNS:HOST-A, IP Address:10.0.10.1
Signature Algorithm: sha256WithRSAEncryption
   ac:fb:6c:1c:4c:52:94:7c:6d:99:85:21:a1:c4:c7:eb:97:8e:
   e0:bf:ee:d6:c8:31:b2:6d:ba:38:c5:15:48:97:8d:e0:2d:4d: 
   da:52:d1:44:8f:86:3e:73:91:9b:85:b9:b9:2b:77:f2:98:cc:
   d2:a5:b6:6f:65:7f:fe:dd:d8:f9:76:3e:66:5c:01:af:d7:13:
   31:a6:51:44:ca:46:a4:c9:fe:c1:b8:c8:fb:9c:fe:fb:8d:e3:
   a8:53:70:38:b2:63:10:ad:5d:83:93:38:d4:38:eb:e3:d0:bd:
   5d:a9:06:47:d1:e6:87:1c:29:ac:33:fb:4e:75:99:70:df:71:
   de:f2:84:7b:15:ce:a0:c3:bc:3e:06:9b:82:4b:07:ca:f0:53: 
   fd:10:82:b5:66:1b:af:ac:eb:bd:4b:51:f1:c1:6f:1e:f4:8d:
   87:4d:d6:b0:c1:90:0f:4d:56:52:0f:41:5e:ac:8f:f4:cd:95:
   db:d4:3c:14:b2:e3:7e:1e:95:94:27:96:42:af:4b:3a:e6:ae:
   3d:40:27:63:bc:7e:cf:ba:7f:74:9d:72:30:ac:c8:77:c4:ee:
   45:0f:a9:eb:57:ab:3a:5e:a5:3c:34:ce:1f:e1:4f:6c:63:88:
   dd:e3:23:00:85:35:5e:c3:af:14:d0:26:2e:21:2e:7f:bc:7b:
   68:10:36:bf

  8. Use WinSCP or SCP command to download the cert_req.csr file from the Cohesity node to your local computer and upload it to the Certificate Authority (CA) for signature. Obtain the certificate in PEM format(cert.pem).

    Submit a certificate request to the CA using the contents of the CSR file, following the CA's enrollment process.

    • Cohesity cluster only supports X.509 certificates in PEM format only with Base64 encoded.

    • When you are getting the cert_req.csr certificate file signed to create the cert.pem file, ensure not to choose chain certificates.

    • If the certificate is in DER format, run the following command to convert it into PEM format:

      openssl x509 -in cert.cer -outform PEM -out cert.pem

    • If the server certificate is signed by an intermediate CA then the cert.pem file must have the server certificate first and then the intermediate certificate.

      Example

      -----BEGIN CERTIFICATE-----
      Server Certificate
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      Intermediate CA Certificate
      -----END CERTIFICATE-----

  9. After you obtain the certificate (cert.pem), copy it to the Cohesity cluster so you can update the cluster with the new certificate. Copy the file to a node on the cluster using the scp command on Linux systems as follows:

    scp cert.pem support@<Node IP Address>:/var/tmp
    If you created the key pair on your enterprise certificate management tool, you must import both the files (signed certificate and key) on the Cohesity cluster. Copy the file to a node on the cluster using the scp command on Linux systems as follows: 
    scp cert.pem key.pem support@<Node IP Address>:/var/tmp

  10. Make sure all users (owners, groups, others) have read permissions for the self-signed certificate (cert.pem) file:

    To check the current permissions settings, run the following command:

    ls -ltr <cert.pem>

    Run the following command to set the required permissions for all users:

    chmod 600 <cert.pem>

  11. Replace the Cohesity cluster’s current SSL certificate with the new certificate you created in the previous steps:

    1. Start the Cohesity CLI using the following command:

      support@restricted-test-cluster-005056ba314a-node-1 ~]\> iris_cli

      When prompted, enter the Username and password you use to log into the Cohesity Cluster’s User Interface. Once the password is successfully authenticated, the Cohesity CLI console opens.

    2. Replace the certificate by running the following command:

      cluster update-ssl-certificate ssl-certificate=<absolute path of the cert.pem file> ssl-cert-private-key=<absolute path of the key.pem file>

      Example

      admin@127.0.0.1>cluster update-ssl-certificate ssl-certificate=/var/tmp/cert.pem ssl-cert-private-key=/var/tmp/key.pem

    3. Restart the UI and REST API Services using the following command:

      admin@198.51.100.12>cluster restart service-names=iris

      It is recommended to wait a minute before proceeding with the next command.

    4. Restart the I/O Operations service using the following command:

      admin@198.51.100.12>cluster restart service-names=bridge

Configuring Cohesity Cluster with a Cohesity CA Issued Certificate

Before you Begin

You need Host Shell Access for the Cohesity cluster to run the last four commands in this procedure. For details, see Using the Secure Shell.

  1. Get the IP address for any Cohesity Cluster node (You can get the list of IP addresses by selecting Settings > Summary and then opening the Nodes tab). Use the IP address to log into that node as the support user.

    Command

    ssh support@<node IP address>

    Example

    ssh support@111.1.1.1

    When prompted, enter the password of the support user account.

    [support@111.1.1.1's password:

    Once your password is successfully authenticated, the prompt changes to the Secure Shell prompt.

    [support@restricted-8888222f444 ~]\>

  2. Run the following command to start Cohesity CLI.

    Command

    $ iris_cli

    When prompted, enter the Username and password you use to log into the Cohesity Cluster’s User Interface. Once the password is successfully authenticated, the Cohesity CLI console opens.

    Example

    iris_cli, Version: 6.8.2_release-20240317_97f56d9a

    Host: cork-clu-lts-005056ba9163-node-2, 127.0.0.1

    Cluster Server: 127.0.0.1:443

    admin@127.0.0.1>

  3. Run the following command to generate Cohesity CA certificate.

    Command

    cert-manager new-cert city="San Jose" country-code=US organization-unit=IT organization="Cohesity Inc" state=California san-list="fqdn ipaddresses comma separated" common-name="common-name" output-dir=/home/support/

    Certificate and Private Key will be written to following path:

    • /home/support/new-cert/privateKey.pem

    • /home/support/new-cert/certificate.pem

  4. Run the following command to replace the certificate:

    Command

    cluster update-ssl-certificate ssl-certificate=<absolute path of the cert.pem file> ssl-cert-private-key=<absolute path of the key.pem file

    Example

    admin@127.0.0.1>cluster update-ssl-certificate ssl-certificate=/home/support/new-cert/certificate.pem ssl-cert-private-key=/home/support/new-cert/privateKey.pem 

    CLUSTER SSL CERTIFICATE : -----BEGIN CERTIFICATE---
    MIIFpDCCA4ygAwIBAgIQDOxhTmAVWGsxVbypDcdj2TANBgkqhkiG9w0BAQsFADBs
    MQswCQYDVQQGEwJ1czERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDENvaGVz
    aXR5IEluYzEVMBMGA1UECxMMQ29oZXNpdHkgSW5jMRwwGgYDVQQDExNDb2hlc2l0a
    eSBJbmMgU2VydmVyMB4XDTI0MDYwMTExNTAwNloXDTM0MDUzMDExNTAwNlowbDEL
    MAkGA1UEBhMCdXMxETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxDb2hlc2l0
    eSBJbmMxFTATBgNVBAsTDENvaGVzaXR5IEluYzEcMBoGA1UEAxMTQ29oZXNpdHkg
    SW5jIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALLcHuJX
    gx3bDw/a6Rag1wIwzQZdYaGIVjTe+B03EcTPLPfVMBG6fXVk2XApPPVu54lkxoGI
    YJKj44hOGAOMfo+ecpPyWeDfp9VTguPxbwHL9UiqESE36JGMgVUt7yKXWW6qoLf/
    mbsV0ublJhu9R19pfSuLt8dbMo6WCxUx2JAvFw0ZFBfOTLCOGIFeQlLOKcj77+XW
    IyqSwCBAn+VLg7EaJ+u+cWegab48v5KZwrEvNcncd5iiMC5p9Em0QmqjzHXGC6Mq
    IC5HiTYL4xrNj+XWjZYs7ZckbW5SBtzG0PSFW/tRW6fuuDl8EwyQVpxG0BcxkMM4
    HbMyUiVXmovqBlJ/6qascQQBnmgV2xYBlFbaRVjgIgpFeQw7qML8675pckQqrsB1
    oKbVtN0qDcEVaT1Jy811JRi+IIeKTQpfOH4EgXD3+fyvzY/qjE2wr/0q5bXpZ4yP
    vepj6lXYue0UDQ/l0X8szn7P/97ppuv/j98SOK5CLTukRQNJ2tSQF/aPkj6r2bT9
    yr0tF6NBJayX2Wv02/10nhRaFR00+y935oZSPGreYlX73rmRSCVjTIab1VCjm43y
    o7Ds9yvWNuqeJy+zci0xL3ttZxaWiu6c4IMkGD+saqw5Qy50+XsPEIjnC1nY832f
    T3QBcxIhE/4UMxK0mhwtq845EleaOZb/rmvTAgMBAAGjQjBAMA4GA1UdDwEB/wQE
    AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS8y1X1dn5EXIkZs9q2lVWv
    CEVoOjANBgkqhkiG9w0BAQsFAAOCAgEACwInp6yPGJ0gQ99OSmpXmRmRIMG2Md3u
    u03Z/wOUf7kCCpdwsfXsJQPz65bw6UtEqDzwfQfTBFuQUU4vNYEZOcb8PlSV9H0c
    Jtr/jwi0VanUU2BmhqG6AlpfUa33sQR+c1VFhPwLDFm0mCKx+2T7UyGLCGCCH9KG
    oGCuH8hksR+UTIFX3t7J4nSq5A3Oqm2ygxTfEeYOWS50jtcHXZAO+xWCLS9waUDS
    Qoo0GhDjTT7XJ7bqVWiQ7RQQxwtJPxmYId9Ez2ZhLjKtXioX9R3YlXwuTaLYsfwB
    MI2v+TbRSuUC8Y4/ql04835DaQ8QnlYvbGjptkVDr/Y/gA4rNclleOG9hswpHRZk
    kUHEqkguV+DW169IJgnL/695tl2ites7bkrIUmj3kqnBeiIWM91Fvw7smXEgtTgZ
    qA4vWt6ew+Xk8SaeOvL0e5OcZnFjTnUsbldXYZ2rToO65G18JOIcCW1HCrou/wmc
    U072MP3GA8LS5iP+qrlLDfIAdoRzN42QmLoJ1gFuFfXIYUQOaqHczjMLi+aO5ljn
    ZvBUyjDSocuN9ITFg59g5Ma25TlCW0ebyoulPqKfHb3JKeFjE3DVeBQOifJ1j1PM
    bCekJuDB9EtKUzoWUOkGw0YRDDhtu9T9QoeDPiLWI4Te9

  5. Run the following command to restart bridge and iris services:

    Command

    iris_cli cluster restart service-names=bridge,iris 

    [support@stor1-525488a33cal-node-1 ~]$ iris cli cluster restart service-names-bridge, iris
    Username: admin
    'admin' Password:
    Success: Restarting the cluster services [bridge iris] ...

Related Topic

Generate SSL Certificates with a Subject Alternate Name