Table of ContentsView in Frames

Configuring a custom server certificate

If you want to use a single server certificate for all grid nodes in your StorageGRID Webscale system, you need to configure a custom server certificate.

About this task

When a client application establishes a Transport Layer Security (TLS) session to the StorageGRID Webscale system, the target LDR service on the Storage Node sends a server certificate to the client application. By default, each Storage Node identifies itself by using a separate certificate that is signed by the system Certificate Authority (CA). Rather than use separate server certificates, you can choose to use a single server certificate supplied by you for all Storage Nodes. This provides flexibility in enabling support for certificate hostname verification.

Only RSA custom server certificates are supported.

The certificate and private key should be entered in PEM format.

You can choose to use the wildcard certificate format: for example, *.storagegrid.mycompany.com. In this case, API Gateway Nodes and Storage Nodes must have DNS entries that map their IP addresses to host names that match the wildcards: for example, dc1-gw1.storagegrid.mycompany.com and dc2-s3.storagegrid.mycompany.com. Client applications are then configured to connect to the system using these DNS names, which enables host name verification.

Steps

  1. In the NMS MI, select Grid Management > Grid Configuration > Configuration > Main.
  2. In the Custom Server Certificate box inside the API Server Certificates section, copy and paste the server certificate, including the -----BEGIN CERTIFICATE----- and the -----END CERTIFICATE----- encapsulation boundaries.

    API Server certificate request
  3. In the Custom Private Key box, copy and paste the corresponding private key, including -----BEGIN RSA PRIVATE KEY----- and the -----END RSA PRIVATE KEY-----.

    This must be an unencrypted private key.

  4. Click Apply Changes.

    The private key becomes obscured.

  5. Click Overview to see the custom certificate on the Overview page.
    Note: The CA Certificate box on the Overview page displays the default generated server certificate.
  6. If a custom server certificate is issued by one or more intermediate CAs, you must also enter the certificates of all intermediate CAs within Grid Management > HTTP Management > Certificates > Certificate Authorities > Configuration > Main.

    For details about HTTP management, see the Administrator Guide.

After you finish

If you configured a custom server certificate, then clients should verify using the root CA certificate that issued the custom server certificate. However, if you use the default certificate, then client applications should verify connections using the system certificate.