In addition to our previous article Installing SSL Certificates on HPE MSA array, in this one we will focus on the new MSA firmware (IN210R004 or more recent), where the imeplementation of CA signed certificates is slightly different.
In this manual, we will be installing an web certificate for each controller, even though you can use one certificate for both controllers.
Further, you might want to look at the official HPE documents for more details:
– HPE MSA 1060/2060/2062 CLI Reference Guide
– HPE MSA 1060/2060/2062 Storage Management Guide
Table of Contents
1. Creating the Certificate Signing Request
Unlike the older firmwares of the MSA arrays, the new firmware uses the standard way of implementing SSL web certificates. This means that you’ll first need to create a Certificate Signing Request (.csr file) and have it signed by your CA authority.
This is also the standard way of HPE certificates, used on other mid-level and high-end arrays.
- Using Putty log in to one of the controllers, i.g. controller A.
- To create the CSR file, enter the command:
create certificate-signing-request a subject “/OU=IT/C=BE/L=Brussels/S=Brussels/O=STORCOM/CN=msabox01” - Copy the generated text from putty to a notepad and save it as .csr or .txt file.
- Send the Certificate Signing Request file to the CA authority to have it signed with the request to append/add extra Subject Alternative names as below:
SAN=msabox01
SAN=msabox01.storcom.com
IP=10.10.120.2 - Once you have received the signed certificate (usually in .crt or .cer format) you can proceed with the next steps
2. Installing Array & CA certificates
We’ll use FTP protocol to install the Root, Intermediate and the CA-signed Array certificate which we requested as CSR file in the previous step. You could also opt to use SFTP.
– Make sure to enable FTP from the MSA interface as it’s disabled by default. Or using CLI:set protocols ftp enabled | disabledAlso if FTP feature is not enabled on Windows, you can enable it using Apps & Features.
For ease of convenience, we’ll copy all needed files into one directory, which will also be our base directory in the FTP session, i.g. C:\temp\SSL\
- Open a CMD prompt and navigate to C:\temp\SSL\
- Launch FTP and connect to the MSA controller
- We’ll first upload the Root certificate
put RootCA_B64.pem cert-file:trust - Using the following command we’ll upload the Intermediate certificate
put IssuingCA.pem cert-file:trust - Finally, we can upload the signed Array certificate
put msabox01.cer cert-file:usr
For the changes to take effect, we’ll still need to restart the management controller:
restart mc full and confirm with Yes
1. Useful commands
1. Putty/MSA
create certificate-signing-request a subject "/OU=IT/C=BE/L=Brussels/S=Brussels/O=STORCOM/CN=msabox01"
set protocols ftp enabled | disabled
show certificates detail
2. FTP
put RootCA_B64.pem cert-file:trust
put IssuingCA.pem cert-file:trust
restart mc full
Any suggestion or question? Leave a reply below, or feel free to contact us. Make sure to subscribe to our mailing list to get the latest.
2 Responses
thanks for the good Instructions, i have create two (both) csr questions.
With csr is CA generated two certificates for controller a and b. how can i put the certificates without a FTP / SFTP explorer on the controller.
sftp -b (batchfile)[ put Certificate.pem cert-file:trust ….] ? Or FTP in the right folders ?
thanks Tino
Great article on the MSA certificates. It helped me on many occations.
I just want to point out that you can add the SAN names directly in the CSR request instead of adding them manually on the CA authority by using this command for request:
create certificate-signing-request a subject “/OU=IT/C=BE/L=Brussels/S=Brussels/O=STORCOM/CN=msabox01” extensions “/subjectAltName=DNS:msabox01,DNS:msabox01.storcom.com,IP:10.10.120.2”
A good point in the article also is that if you have issued the certificate in the old way on the controllers you need to remove them before creating certificate-signing-request by running “remove certificate usr_cert_a”