- Create a private key on SP.
service@unknown spa:~/user# openssl genrsa -out unitycert.pk 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.........................................................................................+++
e is 65537 (0x10001)
- Request CSR on SP.
service@unknown spa:~/user# openssl req -new -key unitycert.pk -out unitycert.csr \
-subj '/C=IE/ST=Cork/L=Ovens/O=DellEMC/CN=name.example.com' \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:name.example.com,IP:192.0.2.1"))
Here "/C=IE/ST=Cork/L=Ovens/O=DellEMC/CN=name.example.com" and "DNS:name.example.com" are examples and must be changed per your environment (further details below). The IP option and IP Address for the SAN value is also optional and can be omitted.
The variables in the -subj field stand for:
- C = Country Code
- ST = State or Province
- L = City or Locality
- O = Organization
- CN = Common Name (The FQDN you want to secure in this case the Unity)
- SAN = Subject Alternative Name (IP and DNS for the entity you want to secure in this case the Unity)
- Get the CSR signed by user's CA (Windows CA server or OpenSSL CA server or another CA server). Deliver below CSR to CA server for signing. Deliver CSR using either of the two methods below:
- Print CSR using 'cat' command, copy, and paste it to your local notepad and save it as unitycert.csr.
service@unknown spa:~/user# cat unitycert.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1BMREwDwYDVQQH
DAhTYXJhc290YTEPMA0GA1UECgwGTXlDdXN0MREwDwYDVQQDDAgxMC4wLjAuMTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBxqufN1Vpm0hq5K5UU0ocd
teL2hJr5T1WIOmwQreX4nIdHIxVoWmyepmT7IZJIrQZQc8GuFDRx5qZ/cwlxoup7
<..snip..>
lJc/79vxTfrWWNnSF95C+wer2LB93VLov8MSQqPZfl0LPb4NRU/XaE4l9Vh5DYl4
/FmwHXsifwV5f1TUkvhC8YTwn5frWQjruz+ItZ3z9DetQX0OXYXMcaPX5Qp6aU5m
dsXFHDDiaVbOofJN9z6OPOsWUhn0ZwEpnW8q/+V72MdBIfiwEjoQqZZKh4w1l0/7
uElP8BfS7vH/i87OCqHJM0g/O3IndF+p5wYzmhrDPg/f3belQVQvKs7Z
-----END CERTIFICATE REQUEST-----
Or
- Use a third-party tool, like FileZilla or WinSCP, to connect to Unity management IP (username: Service). Protocol must be changed to SCP for Unity OE 4.5 and later, see KB article 57822: Dell EMC Unity: Shell lockdown (rbash) on Unity OE 4.5 and above (User Correctable) (Only registered Dell customers can access the preceding link).
- Copy unitycert.csr file to the local computer
- Get the CSR signed cert named as unitycert.crt to match the pk name and import.
- After the signed certificate is received from CA server, upload it to SP and save its name as unitycert.crt (corresponding to unitycert.pk). The part of the filename before the applicable file type extension should match for each of the files. That matching portion of the filenames is the argument that is to the svc_custom_cert command as seen in the example below.
- Use the svc_custom_cert command to upload the cert:
service@unknown spa:~/user# svc_custom_cert unitycert
Successfully installed custom certificate files.
Restarting web server ...
Sun May 22 05:37:48 2016:7645\0x7f44ba3e27c0:32:Module CIC/1.1.10.6 loaded
Note: Once step 8 is successful, remove unitycert.crt and unitycert.pk from the Unity box. Otherwise, these may cause a security vulnerability issue if you save them in /cores/service/user.
Note: an error can happen when trying to install the new certificate:
service@SPB spb:~/user# svc_custom_cert unitycert
ERROR: Certificate </tmp/cert.MIbZ4L/unitycert.crt> is invalid
The certificate must be base64 encoded before installing it. It can be converted using the Windows tool "certutil":
Certutil -v -encode unitycert.crt unity64cert.crt Input Length = 1520 Output Length = 2148
CertUtil: -encode command completed successfully.
Or it can be converted on the Unity system with the OpenSSL command:
openssl x509 -in <certificate file> -inform DER -outform PEM -out unitycert.crt
Once converted, install it using the Instructions above. See KB 19728:
Dell EMC Unity: How to import an SSL certificate which has been signed by a local Certificate Authority (User Correctable) for more detail.
This works with Wildcard Certificates
Uploading certificate files containing pkcs7 encoded certs or additional content in addition to the Base 64 encoded certificate portion can sometimes cause SP panics and other issues. In this case, the certificate can be trimmed down to only the "Base 64 encoded certificate" portion.
NOTE: Engineering is working to update the Security Configuration Guide and possibly enhancing the svc_custom_cert script to not allow certificates that are signed with algorithms that are unsupported.
The only signature algorithms supported in CST:
SHA1_RSA
SHA256_RSA
SHA384_RSA
SHA512_RSA
NOTE: Since 2000 RFC2818 has deprecated the fallback to using the Common Name element of the Subject attribute and requires that the dnsName element of the Subject Alternate Name extension contains the domain to be validated by the certificate. In 2017 with Google Chrome v58, this fallback was formally removed (which affects all Chromium-based browsers including Edge) making the insertion of the SAN attribute mandatory for internally signed certificates to be considered trusted and or secure by modern browsers.