HPE Storage Users Group
https://3parug.com/

Re-issue Self Signed Cert Quick Question
https://3parug.com/viewtopic.php?f=18&t=2862
Page 1 of 1

Author:  jbguy [ Tue Apr 24, 2018 10:13 am ]
Post subject:  Re-issue Self Signed Cert Quick Question

Good afternoon all. A month or so back someone here needed to reissue a self signed cert on the 3PAR. I was curious and checked mine and 2 of the 3 units we have need this done by June. I am set to do it but want to make sure it wont hose anything. We currently use Remote copy and I want to be totally sure redoing the cert wont mess with the existing relationships.

Anyone who has ever done this can confirm there are no issues one would run in to by reissuing the cert?


Here is what I will use for the work:

Get the common name of the certs:
-showcert

For each expired cert renew them (example is for renewing the unified-server):
-createcert unified-server -selfsigned -CN "<CERT CN>"

Thanks.

Author:  ailean [ Tue Apr 24, 2018 10:41 am ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

Did one this week, the only issue I had was with SSMC, didn't seem to see the new cert until I rebooted the SSMC server (probably a service restart would also work) and then had to accept the new cert in the SSMC admin console (had this with both 3.1 and 3.3).

SSH via putty and Service Processor connections didn't seem to care about either expired cert or new one. That's the only other IP things talking to it, we use RCFC.

I just used;

createcert unified-server -selfsigned

It picked up the same common name as was shown in showcert and asked to confirm I think.

Author:  jbguy [ Tue Apr 24, 2018 12:41 pm ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

ailean wrote:
Did one this week, the only issue I had was with SSMC, didn't seem to see the new cert until I rebooted the SSMC server (probably a service restart would also work) and then had to accept the new cert in the SSMC admin console (had this with both 3.1 and 3.3).

SSH via putty and Service Processor connections didn't seem to care about either expired cert or new one. That's the only other IP things talking to it, we use RCFC.

I just used;

createcert unified-server -selfsigned

It picked up the same common name as was shown in showcert and asked to confirm I think.


Awesome. Thanks for the information. That will be helpful.

Author:  MammaGutt [ Tue Apr 24, 2018 1:28 pm ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

It's been a while since I did it, but I think you also could just login to the admin console of SSMC and do "reconnect" or something.

Author:  ailean [ Wed Apr 25, 2018 6:04 am ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

MammaGutt wrote:
It's been a while since I did it, but I think you also could just login to the admin console of SSMC and do "reconnect" or something.

You can if it's just disconnected but if it thinks the cert is expired you have to accept the cert before it'll try connection. It won't allow you to accept an expired cert and after several attempts to make it refresh the cert check on two SSMC servers I gave up and just rebooted one (had actual work to do, darn it :) ).

Only other option I think I could have done from the admin console would be to remove the array and add it again, presumably it would then check the cert.

3.3 I think also had a cert manager option, I did try going into that and removing the expired cert (in the hope that it would then check the array again) but that didn't help.

Annoyingly, SSMC being the only thing that took offence at the cert being expired, there doesn't appear to be any server health dashboard warnings regarding upcoming cert expiries. :roll:

Author:  jbguy [ Wed Apr 25, 2018 10:57 am ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

Thanks for all the info everyone. I went ahead and refreshed these this morning. Easy as can be.

Author:  steebnek [ Tue Sep 24, 2019 9:18 am ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

I read this form which helped me out of a hard spot and I wanted to give back a little. The self-signed cert expired locking me out of the SSMC 3.2

Below is my experience creating a selfsigned cert for a 3PAR SS 8400. I didn't assign a common name with -CN but went back later and changed it to the proper name we used before.

-CN is case sensitive and no <> around the name needed

cli% createcert unified-server -selfsigned -CN name_without_spaces

After I changed it I had to go to the SSMC 3.2 Administrator console to remove and re-add the system so I could access the SSMC again.


NAME-3PRp cli% createcert unified-server -selfsigned
No host name was specfied with -CN; Is the hostname hostname.domain.net correct? y
Please type "yes" or "no": yes
The following services will be restarted if currently running:
cim: manages communications with SMI-S clients

wsapi: Web Services API server

Continue creating self-signed certificate (yes/no)? yes
Self-signed certificate created.
cimserver restarted
The Web Services API server stopped successfully.

The Web Services API Server will start shortly.

NAME-3PRp cli% showcert
Service Commonname Type Enddate Fingerprint
unified-server* hostname.domain.net cert Sep 22 20:09:45 2022 GMT 789678967896789679

Author:  dardan [ Sun Jan 12, 2020 7:35 am ]
Post subject:  Re: Re-issue Self Signed Cert Quick Question

If anybody is considering to implement CA signed certificates on 3PAR / Primera, I've created a step-by-step procedure: https://storcom.com/implementing-ca-cer ... imera-gui/
The unified-server certificate establishes a common connection among cli, wsapi and cim.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/