Security Enhancements in Active IQ Unified Manager 9.9 Part 1: Import a Remotely Generated CSR
Welcome to our first blog in the NetApp Active IQ Unified Manager 9.9 security enhancements blog series on how to import externally generated certificates. In our previous versions of Active IQ Unified Manager, you generated a default HTTPS certificate during installation and Active IQ Unified Manager allowed you to generate a new key-pair to replace the old one. It was possible to export the public part of the certificate as a certificate signing request (CSR), and import it after it was signed by the certificate authority (CA).
With Active IQ Unified Manager 9.9, you can now import a certificate pair generated by using external tools such as OpenSSL, HashiCorp Vault, and so on, from an external machine. In this blog, we show you how to import an externally generated certificate into Active IQ Unified Manager using the OpenSSL toolkit.
Create a self-signed certificate
To generate a self-signed certificate, you first use the OpenSSL toolkit to generate the Remote Support Agent (RSA) private key and the CSR that you import into Active IQ Unified Manager. Let us go ahead and generate the private key and the CSR.
Step 1: Generate the private key
You use the OpenSSL toolkit to generate a private key by running the openssl genrsa command:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) :
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) :10.195.64.59
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
At this point, you verify that the certificate request Common name (CN) contains either a proper Active IQ Unified Manager IP address or an Active IQ Unified Manager fully qualified domain name (FQDN) to ensure that all features continue to work seamlessly.
After running the openssl req -new command, you see that a CSR file named aiqum.csr file is generated.
Step 3: Generate the self-signed certificate
Now that you have generated the private key and the CSR, you can go ahead and create the self-signed certificate by running the openssl command:
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=10.195.64.59
Getting Private key
After running the openssl req -new command, you see that a self-signed certificate file named aiqum.crt file is generated.
Step 4: Create the Privacy Enhanced Mail (PEM) file
When it comes to uploading the self-signed certificate, the file should be in the .pem format. In the PEM file, you should first paste the private key and then append the certificates from the end-user to root one after another in a sequence. Here are sample formats for creating a PEM file with an RSA and an ECC key-pair.
Here is a sample format for loading a certificate with an RSA Key-pair: