Replace or renew the SSL certificate

You can replace or renew the Secure Sockets Layer (SSL) certificate, which is used to access the EMC Isilon cluster through a browser.

Before you begin

When you renew or replace a self-signed SSL certificate, you must provide information for your organization in the format that is described in the Self-signed SSL certificate data example.

The following folders are the default locations for the server.crt and server.key files in OneFS 6.0 and higher.

Procedure

  1. Establish an SSH connection to any node in the cluster.
  2. At the command prompt, run the following command to create the appropriate directory.
    mkdir /ifs/local/
  3. At the command prompt, run the following command to change to the directory.
    cd /ifs/local/
  4. Choose the type of certificate you want to install.
    Option Description
    Third-party (public or private) CA-issued certificate
    1. At the command prompt, run the following command to generate a new Certificate Signing Request (CSR) in addition to a new key, where <common_name> is the host name, such as isilon.example.com:
      openssl req -new -nodes -newkey rsa:1024 -keyout <common name>.key \
        -out <common-name>.csr
    2. Send the contents of the <common_name>.csr file from the cluster to your Certificate Authority (CA) for signing. When you receive the signed certificate (now a .crt file) from the CA, copy the certificate to /ifs/local/<common-name>.crt.
    Self-signed certificate based on the existing (stock) ssl.key
    1. At the command prompt, run the following command to create a two-year certificate. Increase or decrease the value for -days to generate a certificate with a different expiration date.
      cp /usr/local/apache2/conf/ssl.key/server.key ./openssl req -new \/
        -days 730 -nodes -x509 -key server.key -out server.crt

    A renewal certificate is created, based on the existing (stock) ssl.key file.

  5. Optional: At the command prompt, run the following command to verify the attributes in an SSL certificate.
    openssl x509 -text -noout -in <common-name>.crt
  6. Run the following commands to install the certificate and key:
    isi services -a isi_webui disable
    chmod 640 <common name>.key
    isi_for_array -s 'cp /ifs/local/<common-name>.key /usr/local/apache2/conf/ssl.key/server.key'
    isi_for_array -s 'cp /ifs/local/<common-name>.crt /usr/local/apache2/conf/ssl.crt/server.crt'
    isi services -a isi_webui enable 
  7. Run the following command to remove the files in /ifs/local.
    rm /ifs/local/*

Copyright © 2015 EMC Corporation. All rights reserved. Please help us improve this topic. Send your comments and suggestions to docfeedback@isilon.com.