Home > Tintri VMstore™ > Knowledge Base > How to upload a custom CA signed SSL Certificate for Communication between Client Browser and TGC

How to upload a custom CA signed SSL Certificate for Communication between Client Browser and TGC

Applies To

 

Product(s)

Version(s)

Tintri Global Center (TGC)

3.0, 3.5 (and later)

Bug(s): N/A

Description

 

Tintri Global Center (TGC) 3.0 onwards allows the ability to replace the self-signed SSL certificate with a Certificate Authority (CA) signed SSL certificate.

 

The Tintri Global Center System Administration Manual has the following details on Configuring Host Certificates. Certificates are supported in PEM (Privacy-Enhanced Electronic Mail) format, and can only be used in conjunction with Directory Services (TLS enabled). Only one host certificate can be uploaded. If an additional host certificate is uploaded, the previous host certificate will be replaced. When a custom host certificate is removed, the system default certificate is restored.

How-To

 

This solution provides further details on how to upload the CA signed SSL certificate with the private key to replace the self-signed Host Certificate in TGC

 

To upload a host certificate into TGC:

 

1. Click Certificates in the Settings display.

2. Click Upload and select the certificate from your local machine. Please ensure the private key and certificate are in PEM format and all part of the one PEM file

 

The content within the PEM file uploaded should look something similar to the following with the private key and CA signed SSL certificate:

 

-----BEGIN PRIVATE KEY-----

MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmwWFtwsuoDt7m

DR7HMDBW9E6gD/wz0rNOekhzHV2Rj3pDv5jA6h8mPLtvn+w+V+/UhK6MSAeTutbd

MI2uRWzUYP7yCgl4WEnbhCdlXopH/2DR+/IAAsmJA+H1IaeRaAL72IbXGgEOzWg0

USUmQaJ83FPRjfAeynBl9eQ7KDj5lyVPkiFFndhntCixzTL+tD91Xo/jkpIXUR9T

AwqOg+jRUK49HiQENOO37Pt8W/xEUc2tGfJ5eN55vKPgzLvwWMiaLolAC3o4BY9S

VCk0CjYiVYHcv66zR1Pnj6ilBnDjxwmYu7PbkiPF2DC8wYND7NLSpT8TIWCFTguH

0o3+YgTjAgMBAAECggEAfBmsrWfr8p1miyS2hBy7zOqyXPKoidTDtqLQqkLvcLWr

kyHSx7c1CVrnT1JgGaGODcXUtPeiE/JXl3Nb7ZcjQAcTlQOdOp/SD3kRbKJoHN7U

qlFrL1DjtYFbNvgd4dvbZJwm9YwXv3FknJLLJ+Zuy6eZBXoxemjEL01I1jG//Rao

lhH0USZppaA2kz/P5qo+D2xQhnAsAkgqIkm5yAUXo9kz1pjuJxhguLUeqDIzk1bg

rTu8RAXS7kSht8mxJH2ulU6a3ifGe4I/+A0i4i94b+QsvxmizWyicqG6s8vaYI8P

Umo8JaYn488SZ9WV10fH2pWyYSLc4aCiTwhhFNefMQKBgQDQUvjJ9uBpRv4hzDYX

NGS0G1uHPbCgX3xd1VkBRPi4Og3XqmtT55yRvvDHVtEWxhMVc9BUMg4LdRBOo6f6

XuxmMPczLuqG1J+1GAKgH1PCUer5FfFIq/iAHF2v1nDB6N6XAnvnQoIIAGPFVbHG

6omgd6KqwKVmYlJmV3BdKIcImQKBgQDM6widGwvAqZsa0aHc0V6ez4kwMvN6Zl0L

TBWwXQR3God/28to/6/iD/ccRf8l8L11CzIV07j+uCXbz46OgbhJeVbpfyKTE5H3

VgrJg3ic6mZXps1he5ZxVHoOp615touWG7viHl2BKaToKXTO9k7J5FDhmetUljUS

ojNGviM62wKBgQDDpBhHO5VW6TgCr5BgzHCCgGq9oJ6+jc3zJUh4G7jk8ohLcJ1o

58uvSD1BR3QHSi9j5ybP2047Tk3pPGKli/3Ant2YcMgJpaby4ECe9ayoglwEXqoB

UJeIYJtPZjjwsmxQLyIDdf892nfYO/k/0MU9MP1QFKmAdHfj6tv4cPYXiQKBgDmc

RmKs7OPwiwvCLgh/0GNDo6UqXetmhfgcHujjbdLyYW/f4lMVt2QN6wJG55HKGemj

CSS7zoHGUdZ3hvOnoqD9fSLOPHEvClWIGiZHUQyEldtEqO8kKMqZ3mrqV0oluR6t

k2fh85XRmGww44cgFkyKZPbYKCIyzJ79fP8Bi7QLAoGARHHTp6ACHNObQCgDS9N/

VhzxDtfT13yLm+BzYBro6B+I2p9emAc2B6YzpyarqUx3n55FLBnCudSUF8mXvtzU

n7bLYKYmNIXIL5e+EpUe8uJuiuhde0AUsspHcHN6tbM1Itm+Q6zslzE2ObyuiJZl

5ZiC58+mUsHq4xUMFlkVxGU=

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIEAzCCAuugAwIBAgIJAI002UogW7HdMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD

VQQGEwJJRTEQMA4GA1UECAwHTXVuc3RlcjENMAsGA1UEBwwEQ29yazEXMBUGA1UE

CgwOVGludHJpIFN1cHBvcnQxCzAJBgNVBAsMAkNTMR4wHAYDVQQDDBVodHRwczov

LzE5Mi4xNjguNjAuMjExITAfBgkqhkiG9w0BCQEWEmNsYXdsb3JAdGludHJpLmNv

bTAeFw0xNjA1MzAxMzAzMTRaFw0xNzA1MzAxMzAzMTRaMIGXMQswCQYDVQQGEwJJ

RTEQMA4GA1UECAwHTXVuc3RlcjENMAsGA1UEBwwEQ29yazEXMBUGA1UECgwOVGlu

dHJpIFN1cHBvcnQxCzAJBgNVBAsMAkNTMR4wHAYDVQQDDBVodHRwczovLzE5Mi4x

NjguNjAuMjExITAfBgkqhkiG9w0BCQEWEmNsYXdsb3JAdGludHJpLmNvbTCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbBYW3Cy6gO3uYNHscwMFb0TqAP

/DPSs056SHMdXZGPekO/mMDqHyY8u2+f7D5X79SEroxIB5O61t0wja5FbNRg/vIK

CXhYSduEJ2Veikf/YNH78gACyYkD4fUhp5FoAvvYhtcaAQ7NaDRRJSZBonzcU9GN

8B7KcGX15DsoOPmXJU+SIUWd2Ge0KLHNMv60P3Vej+OSkhdRH1MDCo6D6NFQrj0e

JAQ047fs+3xb/ERRza0Z8nl43nm8o+DMu/BYyJouiUALejgFj1JUKTQKNiJVgdy/

rrNHU+ePqKUGcOPHCZi7s9uSI8XYMLzBg0Ps0tKlPxMhYIVOC4fSjf5iBOMCAwEA

AaNQME4wHQYDVR0OBBYEFD5/3YDthBR94cm+JjxeZR6jDQm1MB8GA1UdIwQYMBaA

FD5/3YDthBR94cm+JjxeZR6jDQm1MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL

BQADggEBAFDkV1Ssy/pakC5iy3cBAJ1ich88UkY/72RZ7wGJCUeyCxOutUK66FuE

Sv+dRxzkxPy3TkJ0FZA7TS/EvSVCNNOTP48F2cagzGGXGsLRWtD4RXyybZnUcdrz

JLqr9ThO904Vbe/rv7EfGES6cf9BZFcgZG9EB2Wmqg54CQgUjIMysqpvPcuQTcGh

y2spQGZ4flW3RLOo9aH/dVFzJb3e5FHEnyaKa2RTMHeOOH8e88pWUKwJvuoISXuq

lW7D/TYps2Vl/1l8uuA/LNL7mTAbaOeAaYX+TVz9ReXoGbbW18yMp4Bt0WEBMveC

AbfE+xjfqgkan0PTOoFzHpM/KVUdy8E=

-----END CERTIFICATE-----

 

3. Click Save.

4. Click OK on the question which pops-up "This will replace your existing host certificate. During this process (which might take a few minutes), the Tomcat server will be restarted and the UI will be temporarily unavailable. Do you want to continue?"

5. After a successful upload the TGC web server will restart.

6. Log back into TGC going to the Certificates UI and the details of the new SSL Certificate will be displayed below the Host Certificate section. Only one host certificate can be uploaded. If an additional host certificate is uploaded, the previous host certificate will be replaced. When a custom host certificate is removed, the system default certificate is restored.

 

Note: TGC does not support password protected private key. The decrypted version must be used for uploading into TGC

 

For reference, the command to remove password from the private key:

[bash]$ openssl rsa -in <encrypted name>.key -out <unencrypted name>.key

 

 

See Also

 

Users can upload CA signed certificate or certificate chain to replace the default host certificate with TGC 3.0 onwards

 

  • Create a private key and a certificate signing request.

  • Create a self-signed CA root certificate and generate a host certificate signed by the CA root certificate based on the signing request.

Or, do the following:

  • Send the signing request to a trust certificate authority (e.g. VeriSign) to obtain the host certificate.

  • Upload the private key and host certificate as described above

 

For details on how to create CA signed certificate, please refer to the following link: http://pages.cs.wisc.edu/~zmiller/ca-howto/

 

Example using the openssl utility to generate a new self-signed certificate to replace the default host certificate  e.g. Generating self-signed certificate without password

 

[bash]$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Generating a 2048 bit RSA private key

 

..........................................................................................+++

................+++

writing new private key to 'key.pem'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

 

 

Viewing 3 of 3 comments: view all
This KB replaced the KB in Backlog which is now marked to be deleted: https://knowledge.tintri.com/Internal/KB_Drafts_Backlog/How_to_upload_Custom_SSL_Certificate_for_Communication_between_Client_Browser_and_TGC
Posted 04:20, 28 Feb 2017
Initial review complete
Posted 05:17, 8 Mar 2017
Approved
Posted 17:38, 20 Mar 2017
Viewing 3 of 3 comments: view all
You must to post a comment.
Last modified
10:54, 22 Apr 2017

Tags

Classifications

This page has no classifications.