Adding a CA-signed SSL to Nimble OS

Yes this is great fun; go buy yourself a multi-hundred-thousand dollar storage array and then try to figure out how to add a real SSL cert to it so your sysadmins don’t have to bypass the stupid cert error with each access.

Well, you can’t do it from the GUI, has to be command line. You also can’t simply import a cert and key you’ve generated and purchased, you have to generate the CSR on the array with the key remaining hidden. This of course means you can’t dictate key length, nor can you install a wildcard.

So, ssh in as an administrative user and you’re going to use the cryptic ‘cert’ command to generate a CSR. The syntax is:

cert --gen custom-csr --subject '/C=US/ST=New York/L=New York/O=Company/OU=Information Technology/CN=nimble-1.company.com'

Nimble’s documentation mentions the ability to use an –iplist command to add raw IP addresses to the CSR as alternate names, but certificate issuers will strip those, so really no point in doing that unless you’re using your own internal CA. Hit enter and it will spit out the CSR that you take to the certificate issuer.

When it comes time to import, you’ll first want to import the CA certificate. Of course this is also done in a backwards way from every other device / web server / etc. that you typically encounter. Most CA’s will deliver your new certificate with a bundle intermediate file that will typically hold two certs; the two closest signing intermediates, but never the root. Nimble needs the root, so you’ll have to figure out what the proper root is. To do this, take what will be the bottom-most intermediate from the CA’s bundle file, place it in its own file (file.ca in this example) and run openssl against it:

openssl x509 -noout -text -in file.ca

The important output will be something like:

Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

This will tell you that you need to go find the root certificate “USERTrust RSA Certification Authority”. Once you have that, in PEM format, open that CA bundle file and do the following:

  • Flip the order of the two certificates currently in the file, because Nimble wants them from root down, not the way everything else takes them.
  • Add your newly found root certificate to the top of the altered file.

So, at this point, your bundle file should have what is likely three certificates in it, the root, intermediate 1, intermediate 2. Paste these back into the array after running the command:

cert --import custom-ca

Place a blank line at the end, and then type Ctrl-D to submit. If it doesn’t error, you’re good. Run the next command to paste in the CA-issued certificate for your array:

cert --import custom

Leave a Reply

Your email address will not be published. Required fields are marked *