Solved: Re: E-Series (E2860) certificate CSR request

sanadmin_do

Two of our E-Series certificates have expired. We would now like to have our internal CA issue two new ones. However, since September 2024, our colleagues at the CA have required CSR requests with a length of 4096 bits. Can the length of 4096 bits be set in the SANtricity environment? Or are the CSR requests always issued with 2048 bits?

ahmadm

As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).

As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.

View solution in original post

ahmadm

As of SANtricity OS 11.80.1, the E-Series generated CSR for management certificate uses a 3072 bit key. If 4096 is desired, then the CSR need to be generated externally (e.g Using openSSL).

As for SANtricity OS 11.80, the E-Series external key management service CSR generated by E-Series defaults to 3072 bits key. The default can be increased to 4096 bits if needed, but this change / method does not apply to the management certificate of E-Series Web-UI.

sanadmin_do

Thanks for the information. I'm now trying to create the CSR request with the parameter "4096". But I always get the error message "Encountered "keySize" at line 1, column 201. Was expecting: "file" ...". I specified keySize="4096". According to the documentation, this is correct.

ahmadm

I am not sure which utility you are using to generate the CSR, but below are the commands to generate the CSR and 4096 bits key using openssl. Once the CSR is signed by your CA, then you can upload the int/root certs, the signed server cert and the private key (generated below) into SANtricity System Manager.

openssl genpkey -algorithm RSA -out server_cert_private.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key server_cert_private.key -out server_cert_csr.csr

sanadmin_do

I used this commads:

Generate web server Certificate Signing Request (CSR)

ahmadm

SANtricity OS 11.90 was released recently. This OS version supports 4096 bit key for the Web-UI management certificate.

The KeySize attribute in CLI applies only to 11.90 OS hence why you received an error when you tried to generate the certificate.

Once you upgrade to 11.90 OS, you can also create the CSR using the Web-UI. Screenshot attached.

sanadmin_do

We have received the CER files (for Controller A and B) from our CA. When we try to install them using "Import CA Certificates", we get the message: "Failed to import array management server certificate on Controller B because: Unable to find valid certification path for certificate. (Web Server 422)".

We use Controller A and Controller B Management Server Certificates

sanadmin_do

Thank you for your information. One of the E-Series was upgraded on monday. The second E2860 is going to be upgraded in the next days. So we will complete the CSR Request when both E2860 are running OS 11.90.

ahmadm

You must include the root/intermediate CA certificates when uploading the controllers' server certificate.

The message indicates the web server is unable to find the complete chain for the signed certificate which would mean the root, intermediate or both are missing with the upload.

sanadmin_do

Thank you, now it works.