让我们不要破坏信任—SSL证书—大多数您想知道的东西

  • 2020年2月17日
  • 0回答
  • 4088的浏览量
Alona
排名
Userlevel 6
徽章 +5
  • Alona Nutanix员工
  • Nutanix员工
  • 433回复

最后,决定用ca签名的证书替换自签名的证书?或者准备续借快过期的书,却不记得续借的过程?别担心,我们支持你。

替换SSL证书文件需要:

  1. 私钥-使用RSA 2048密钥类型生成的密钥,并使用SHA256哈希进行签名。我们还支持EC DSA 256bit和EC DSA 384 bit。然而,RSA 2048是最常用的密钥类型

  2. 公共证书——由证书颁发机构(CA)颁发。我们支持64base PEM格式的x509证书

  3. CA证书/链-颁发上述公共证书的CA的证书。如果颁发的CA是中间CA,我们还需要根CA证书。如果有多个中间CA,我们需要所有中间CA和根CA的证书

表1。推荐关键配置

密钥类型

尺寸/曲线

签名算法

RSA

2048

SHA256-with-RSAEncryption

EC DSA 256

prime256v1

ecdsa-with-sha256

EC DSA 384

secp384r1

ecdsa-with-sha384

EC DSA 521

secp521r1

ecdsa-with-sha512


现在来看看这个过程:

  1. 使用OpenSSL命令从CVM或Linux机器生成SSL密钥和CSR(证书签名请求)。

  2. 将CSR、Certificate Signing Request (server.csr)发送到组织中的CA授权机构,并获得CA为网站签署的公共证书以及CA的公共证书。如果CA是中间CA,则还需要根CA证书。

  3. 将上面的证书文件复制到CVM或您生成服务器的Linux机器上的相同位置。关键和服务器。步骤1中的CSR。
    由于Prism中只有一个字段可以上传CA证书/链文件,因此中间CA和根CA必须合并到一个文件中。确保链由正确的验证顺序的证书组成,因此最高权威的根CA是最后一个。

  4. 使用OpenSSL验证生成的证书
  5. 将上述每个步骤中生成的3个文件传输到可以访问Prism的桌面(例如,使用SCP),并将这些文件导入Prism。

生成或上传新证书后,接口网关将重启。但是,这不会影响运行在集群上的生产虚拟机,但会影响到Prism GUI的连通性。

有关命令和示例的详细说明,请参阅KB-4978 SSL证书上传故障处理- Prism中使用CA生成的证书替换自签名证书。

你可能还会发现:

KB-5191为Prism转换Windows SSL证书

安全指南:证书管理

Finally, decided to replace self-signed certificates with CA-signed ones? Or ready to renew nearly expired ones but are unable to remember the process? Don\u2019t you worry, we\u2019ve got your back.<\/span><\/p>

To replace the SSL certificate 3 files are required:<\/span><\/p>

  1. Private Key - key generated using RSA 2048 key type and signed using SHA256 hash. We also support EC DSA 256bit and EC DSA 384 bit. However, RSA 2048 is the most commonly used key type<\/span><\/p> <\/li>

  2. Public Certificate - Issued by a certificate authority (CA). We support x509 certificates in 64base encoded PEM format<\/span><\/p> <\/li>

  3. CA Certificate\/Chain - The certificate of the CA that issued a public certificate above. In case the issuing CA is intermediate CA we will also need the root CA certificate. If there are multiple intermediate CAs we need the certs for all the intermediate CAs along with the root CA<\/span><\/p> <\/li> <\/ol>

    \u00a0<\/p>

    Table 1. Recommended Key Configurations<\/span><\/strong><\/p>

    Key Type<\/strong><\/p> <\/td>

    Size\/Curve<\/strong><\/p> <\/td>

    Signature Algorithm<\/strong><\/p> <\/td> <\/tr>

    RSA<\/span><\/p> <\/td>

    2048<\/span><\/p> <\/td>

    SHA256-with-RSAEncryption<\/span><\/p> <\/td> <\/tr>

    EC DSA 256<\/span><\/p> <\/td>

    prime256v1<\/span><\/p> <\/td>

    ecdsa-with-sha256<\/span><\/p> <\/td> <\/tr>

    EC DSA 384<\/span><\/p> <\/td>

    secp384r1<\/span><\/p> <\/td>

    ecdsa-with-sha384<\/span><\/p> <\/td> <\/tr>

    EC DSA 521<\/span><\/p> <\/td>

    secp521r1<\/span><\/p> <\/td>

    ecdsa-with-sha512<\/span><\/p> <\/td> <\/tr><\/tbody><\/table>


    \u00a0<\/p>

    Now onto the process:<\/span><\/p>

    1. Generate the SSL key and CSR (certificate signing request) using the OpenSSL command from a CVM or a Linux box.<\/span><\/p> <\/li>

    2. Send the CSR, Certificate Signing Request (server.csr) to the CA authority in the organization and obtain a CA-signed public certificate for the website along with the CA's public certificate. Where the CA is intermediate then a root CA certificate will also be required.<\/span><\/p> <\/li>

    3. Copy over the certificate files above to the same location on the CVM or a Linux box where you generated your server.key and server.csr in step 1.<\/span>
      Since there is only one field in Prism to upload the CA Certificate \/Chain file, Intermediate and root CA must be merged into one file. Make sure that the chain is comprised of certificates in the correct order of validation so the highest authority which is root CA is the last.\u00a0<\/span><\/p> <\/li>

    4. Verify generated certificate with OpenSSL<\/span>.<\/li>
    5. Transfer the 3 files that are generated during each of the steps above to a desktop with access to the Prism (using SCP for example) and import the files to Prism.\u00a0<\/span><\/li> <\/ol>

      After generating or uploading the new certificate, the interface gateway restarts. This, however, does not impact production VMs running on the cluster but will impact connectivity to the Prism GUI.<\/p>

      For detailed instructions with commands and examples please refer to <\/span>KB-4978 SSL Certificate Upload Troubleshooting - Replacing self-signed certificates with CA generated certificates in Prism.<\/u><\/a><\/p>

      \u00a0<\/p>

      You might also find useful:<\/span><\/p>

      KB-5191 Converting a Windows SSL Certificate for Prism<\/u><\/a><\/p>

      Security Guide: Certificate Management<\/u><\/a><\/p>","quoteUsername":"Alona","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">

      本主题已关闭供评论
      Baidu