Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two of our E-Series certificates have expired. We would now like to have our internal CA issue two new ones. However, since September 2024, our colleagues at the CA have required CSR requests with a length of 4096 bits. Can the length of 4096 bits be set in the SANtricity environment? Or are the CSR requests always issued with 2048 bits?
Solved! See The Solution
1 ACCEPTED SOLUTION
Drew_C has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).
As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.
9 REPLIES 9
Drew_C has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).
As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. I'm now trying to create the CSR request with the parameter "4096". But I always get the error message "Encountered "keySize" at line 1, column 201. Was expecting: "file" ...". I specified keySize="4096". According to the documentation, this is correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure which utility you are using to generate the CSR, but below are the commands to generate the CSR and 4096 bits key using openssl. Once the CSR is signed by your CA, then you can upload the int/root certs, the signed server cert and the private key (generated below) into SANtricity System Manager.
- openssl genpkey -algorithm RSA -out server_cert_private.key -pkeyopt rsa_keygen_bits:4096
- openssl req -new -key server_cert_private.key -out server_cert_csr.csr
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SANtricity OS 11.90 was released recently. This OS version supports 4096 bit key for the Web-UI management certificate.
The KeySize attribute in CLI applies only to 11.90 OS hence why you received an error when you tried to generate the certificate.
Once you upgrade to 11.90 OS, you can also create the CSR using the Web-UI. Screenshot attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have received the CER files (for Controller A and B) from our CA. When we try to install them using "Import CA Certificates", we get the message: "Failed to import array management server certificate on Controller B because: Unable to find valid certification path for certificate. (Web Server 422)".
We use Controller A and Controller B Management Server Certificates
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your information. One of the E-Series was upgraded on monday. The second E2860 is going to be upgraded in the next days. So we will complete the CSR Request when both E2860 are running OS 11.90.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You must include the root/intermediate CA certificates when uploading the controllers' server certificate.
The message indicates the web server is unable to find the complete chain for the signed certificate which would mean the root, intermediate or both are missing with the upload.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, now it works.
