Manage Appliance Certificates

Topics


Manage the Appliance Web Certificate

By default, the appliance ships with an X.509 PEM certificate signed and issued by Panzura. This certificate is used when you navigate to the filer URL.

 

Follow the steps below to change the default web certificate on your appliance to one that is signed and trusted by your organisation.

 

1. From the Panzura Management Console, navigate to Configuration > Encryption Settings > Web Certificate Settings.

 

 

2. Select No Custom Certificate > Choose File.

 

3. Browse to your X.509 certificate file. Once chosen, select Upload > Activate.

 

4. Your custom certificate will be activated and you should now reload your appliance console.


Manage the Appliance Data Encryption Certificate

By default, the appliance ships with a P12 encryption certificate signed and issued by Panzura. This certificate is used to encrypt/decrypt data sent to the cloud.

 

The following rules apply to data encryption management:

  • Multiple encryption certificates can be loaded at once, but only one certificate can be active at one time.
  • The active certificate is used to encrypt data uploaded to the cloud. Any inactive certificates are used to decrypt the data that was previously encrypted using them.
  • All filers within the CloudFS must use the same encryption certificate to operate correctly.
  • You cannot delete an encryption certificate if it has been previously activated.
  • Expiry dates on data encryption certificates are not evaluated when used on the filer. For example, the filer will still be able to use an expired certificate to encrypt/decrypt data, with no issues.

 

Recommended Approach
CCL highly recommends that all clients:
- Create and configure their own data encryption certificate before uploading any data. This is to ensure all data is encrypted with a unique certificate.
- Generate a custom data encryption certificate, activate it on the filer, and store it somewhere very secure before uploading data to the filer.

- Most clients can use a single certificate for encryption and decryption of data, except in specific circumstances. For example, if a data encryption certificate is leaked, or strict certificate rotation policies are in place.

Steps

Follow these steps to upload a new data encryption certificate:

 

1. From the Panzura Management Console, select Configuration > Encryption Settings > Encryption Settings.

 

 

2. Click Add > Choose File to browse for your encryption certificate. This must be either PKCS12 or PFX format.

 

 

3. Input all of the required information, including a name for the certificate and the decryption passphrase.

 

4. Once you have entered in the correct information, and attached the certificate, click Add.

 

5. You can now go back to Encryption Settings, select your new certificate and click Activate.

 

6. Your new certificate will be activated and can be used to encrypt any new data uploads.


Generate Self-Signed Certificates

Follow the steps below to generate a basic self-signed certificate to use on your appliance. There are two options:

 

For additional information on generating and configuring web and encryption certificates on a Panzura Filer, see the Panzura Administration Guide.


Generate a Basic Self-Signed Web Certificate

These instructions assume you already have openssl installed.

 

1. Open a command-prompt or terminal window.

 

2. Run the following openssl command:

 

user@linux_machine:~/certificates$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.pem -out mykey.pem
 

3. Enter in the information requested by openssl.  You can leave these details blank.

 

..................................................................................................................+++++

...............................................+++++

writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:NZ

State or Province Name (full name) [Some-State]:Canterbury

Locality Name (eg, city) []:Christchurch

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local Company

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:filer.mycompany.co.nz

Email Address []:admin@mycompany.co.nz
 

4. You should now be able to upload the certificate to your appliance.


Generate a Basic Self Signed Encryption Certificate

Note: These instructions assume you already have openssl installed.

 

1. Open a command-prompt or terminal window.

 

2. Run the following openssl command to generate a private key:

 

user@linux_machine:~/certificatest$ openssl genrsa -des3 -out mykey.key 2048

3. Enter in the passphrase you would like to use for your key (recommended):

 

Generating RSA private key, 2048 bit long modulus (2 primes)

...........+++++

..............................+++++

e is 65537 (0x010001)

Enter pass phrase for mykey.key:

Verifying - Enter pass phrase for mykey.key:
 

4. Run the following openssl command to generate a new self-signed key using your new private key:

 

user@linux_machine:~/certificates$ openssl req -new -x509 -out mykey.crt -key mykey.key


5. Enter the pass phrase to the private key you just created.

 

Enter pass phrase for cloudfs.key:

 

6. Enter in the additional information prompted (this can be blank):

 

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:NZ

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company) [Internet Widgits Pty Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:

 

7. Run the following openssl command to bundle your new certificates into a p12 certificate:

 

user@linux_machine:~/certificates$ openssl pkcs12 -export -in mykey.crt -inkey mykey.key -out mykey.p12 -name "my new key"

 

8. Enter the passphrase for your private-key:


Enter pass phrase for mykey.key:

 

9. Enter an export password:

 

Enter Export Password:

Verifying - Enter Export Password:
 

10. You should now be able to upload the certificate to your appliance.


 

 

 

 

 

 

 

The page cannot be found

The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please make sure you spelled the page name correctly or use the search box.