EF & E-Series, SANtricity, and Related Plug-ins

E-Series (E2860) certificate CSR request

sanadmin_do
340 Views

Two of our E-Series certificates have expired. We would now like to have our internal CA issue two new ones. However, since September 2024, our colleagues at the CA have required CSR requests with a length of 4096 bits. Can the length of 4096 bits be set in the SANtricity environment? Or are the CSR requests always issued with 2048 bits?

1 ACCEPTED SOLUTION

ahmadm
298 Views

As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).

 

As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.

 

View solution in original post

6 REPLIES 6

ahmadm
299 Views

As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).

 

As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.

 

sanadmin_do
250 Views

Thanks for the information. I'm now trying to create the CSR request with the parameter "4096". But I always get the error message "Encountered "keySize" at line 1, column 201. Was expecting: "file" ...". I specified keySize="4096". According to the documentation, this is correct.

ahmadm
208 Views

I am not sure which utility you are using to generate the CSR, but below are the commands to generate the CSR and 4096 bits key using openssl. Once the CSR is signed by your CA, then you can upload the int/root certs, the signed server cert and the private key (generated below) into SANtricity System Manager.

 

  • openssl genpkey -algorithm RSA -out server_cert_private.key -pkeyopt rsa_keygen_bits:4096
  • openssl req -new -key server_cert_private.key -out server_cert_csr.csr

sanadmin_do
164 Views

ahmadm
133 Views

SANtricity OS 11.90 was released recently. This OS version supports 4096 bit key for the Web-UI management certificate.

The KeySize attribute in CLI applies only to 11.90 OS hence why you received an error when you tried to generate the certificate.

Once you upgrade to 11.90 OS, you can also create the CSR using the Web-UI. Screenshot attached.

 

Screenshot 2025-02-05 at 10.52.20 AM.png

 

sanadmin_do
108 Views

Thank you for your information.  One of the E-Series was upgraded on monday. The second E2860 is going to be upgraded in the next days. So we will complete the CSR Request when both E2860 are running OS 11.90.

Public