#RFE: TLS cert installation needs improvement

1 messages · Page 1 of 1 (latest)

versed scroll
#

Could this possibly be made a bit more like StorageGrid? Even the order of the certs is mostly backwards from everywhere else. Just make a GUI where you add the cert, key, root, intermediate certificates.

versed scroll
#

just to make the irritation worse, AIQUM accepts the cludged signed server cert, intermediate and root certs but doesn't use them after a reboot

verbal island
#

This is the expectation when importing a signed certificate.
https://docs.netapp.com/us-en/active-iq-unified-manager/config/task_install_ca_signed_and_returned_https_certificate.html

If it is generated externally it will also need the unencrypted private key
https://docs.netapp.com/us-en/active-iq-unified-manager/config/concept_install_https_certificate_generated_using_external_tools.html#format-for-loading-a-certificate-with-an-ec-key-pair

Installing a CA signed and returned HTTPS certificate

You can upload and install a security certificate after a Certificate Authority has signed and returned it. The file that you upload and install must be a si...

Installing a HTTPS certificate generated using external tools

You can install certificates that are self signed or CA signed and are generated using an external tool like OpenSSL, BoringSSL, LetsEncrypt.

versed scroll
#

the CSR was generated by AIQUM

#

so AIQUM has the key

#

i went through this insanity last time i installed a new certificate... at the time it wasn't possible to install a certificate from an externally generated csr

#

but none of this is relevant. the system accepted the bundle i uploaded on friday but after reboot still used the old cert. I made a new bundle yesterday because it suddenly didn't accept friday's bundle and it accepted the new bundle (1st cert, 2nd intermediate, 3rd root) and rebooted and it's still using the old certificate

#

the entire approach is a bit fragile anyway... it assumes a single "trust store", one intermediate+root for its own service and everything it consumes (ldap, mail) which isn't reality, especially when intermediates start to expire and multiple intermediates (or root certs) are valid in transitional periods.

versed scroll
#

i can actually see "remnants" of the old and the new certificates in the orania (?) truststore by using strings. Unfortunately my diag session timed out during lunch, so i get to dig again, but... i don't know how to clean up the mess yet

brazen pike
#

the only time i've seen the old cert held on to after UM accepted it and has been rebooted was the browser needed the cache cleared too.

if you go to um in an incognito windows is it still the old cert or is it the new cert?