Deploying ECA using the GUI
You can perform all external certificates-related operations from the > > Certificates tab.
Switch to external certificate
Once the external certificates are deployed, user can switch in between internal and external certificates.
After the external certificates are deployed, the option is enabled. The web server is restarted after certificates are switched.
Internal certificates or appliance certificates are the Access Appliance CA certificates which are deployed during the initial configuration.
Upload certificate
An ECA that is certified to work with CA bundle and an optional certificate revocation list (CRL) is required for the Access Appliance cluster components to use an external certificate.
All the artifacts must be deployed in tandem for the first time. This includes external certificate, CA bundle, and CRL.
CRL is optional. It may be provided as a file or embedded in certificate as a URL.
If using your own certificate, include the certificate and provide a key. Keep the private key unencrypted.
Once deployed all the Access Appliance components - web server and S3 services use the external certificates.
The web server and S3 server are restarted after deployment of certificate artifacts is successful.
View certificate request
You can view the generated certificate request and verify the subject distinguished names and subject alternative names.
You can also copy the generated certificate request and get the CA certificate from it.
Generate certificate request
You must provide a proper subject distinguished name and subject to generate correct external certificate that can be used in Access Appliance cluster.
You can use the GUI wizard to generate a proper request for the cluster. The wizard auto populates necessary IP/FQDN to generate correct request.
To deploy ECA using the GUI
- Go to the Settings > Security Management > Certificates tab.
- Click Generate certificate request and fill out the form. The SAN field is filled with default SAN entries that are mandatory for the configuration. For standard default configuration, it has the FQDN entries for all the storage servers, console IP and API gateway FQDN.
- Click Generate to generate a certificate request.
- Click Copy to copy the certificate request. This has to be given to a CA signing authority who uses this to generate a certificate. CA signing authority provides a certificate along with the root certificate and intermediate certificate used to generate the certificate. Authority may also provide a CRL file .
- You also have an option to upload a private key. If you want to use your own certificate, include the certificate and provide a key. Ensure that the private key is unencrypted.
- Go to Certificates > Upload certificate to upload the certificate artifacts. For a fresh deployment, both the certificate and CA certificate bundle are mandatory. CRL is optional. For renewal, any one of the three are required.
- After the certificate is uploaded, Save gets enabled. Click Save. The deployment is initiated.
After deployment is successfully completed for all components, the GUI restarts with the uploaded external certificate.
You can verify the browser certificate from the GUI to verify that it is the same one that was used during deployment.