Skip to main content
Hitachi Vantara Knowledge

Generating a certificate signing request (CSR)

A certificate signing request (CSR) is a file that contains the encoded information needed to request a certificate from an authority. After generating the CSR, it can be submitted to the authority.

To generate a CSR:

Procedure

  1. SSH in to the SMU as user manager, enter su -, and enter the root password.

  2. Enter cert-gencustom.sh

  3. Copy and paste the CSR that is displayed into the website of the certificate authority.

    Alternatively, copy the CSR from the following file on the SMU: /etc/opt/mercury-papi/ssl/certreq.csr

Installing certificates

After obtaining the signed certificate from the certificate authority (CA):

Procedure

  1. Copy the certificate provided by the CA to the SMU (for example, use the scp command to copy the certificate to /home/manager/signedcert-der.p7.

  2. If necessary, provide the certificate authority’s trusted certificate chain as a file (for example, /home/manager/veritas.pem). The SMU already includes popular certificate authority trust chains, so this step can typically be skipped

    NoteThe content of the certificate and trust chain files should only start with -----BEGIN and end with -----END CERTIFICATE-----.
  3. Log in to the SMU as user manager, enter su -, and enter the root password.

  4. If you are using your own private/corporate CA, you will probably need to import that CA certificate.

    • If the root CA certificate and your signed certificate are bundled into a single file (usually a .p7b file): Enter cert-import.sh -p path to to import your signed certificate and the certificate authority certificate.
    • If the Root CA certificate is in a separate file from your certificate: Enter cert-importtrustchain.sh -p path to root CA cert file -a unique alias to import the certificate authority certificate (usually a .cer file) . This is optional and is only required if the java keystore does not already trust the root CA. This might require multiple files or chains, so repeat as necessary. Enter cert-import.sh -p path to cert file to import your signed certificate reply (usually a .p7b file).

      The default SMU SSL certificate is now replaced by your CA-signed certificate.

    NoteAny unique alias may be used. If the alias already exists in the SMU’s keystore, you will be prompted to replace the old certificate or cancel the import.
  5. When prompted to overwrite the existing certificate, enter y.

  6. Restart the web server when prompted so that it can start to use the new SSL certificate.

  7. Close and restart any browsers used to connect to the SMU.

    Restarting the browser is required to purge the browser of any previously negotiated SSL session values. When logging into SMU after restarting the browser, the new SSL Certificate is provided.
  8. As needed, enter cert-showall.sh to display and verify the contents (SSL certificate and trust chain) of the keystore.

Recreating the default SMU certificate

If there are problems when trying to create/import an SSL certificate, the SMU's default certificate may be recreated.

To recreate the default certificate:

Procedure

  1. Log in to the SMU as the user manager, enter su -, and enter the root password.

  2. Enter cert-gendefault.sh.

  3. When prompted to overwrite the existing certificate, enter y.

  4. Restart the web server when prompted so that it can use the new SSL certificate.

  5. Close and restart any browsers that are connected to the SMU.

    Restarting the browser is required to purge the browser of any previously negotiated SSL session values. When logging into SMU after restarting the browser, the new SSL certificate will be provided.

 

  • Was this article helpful?