By default, the EMC Unity uses self-signed certificates for its management portal and various other connectivity (e.g. vCenter)
This generally results in certificate errors when accessing the web UI (as the certificate is untrusted).
To upload your own certificates,
1) Generate the certificates. Ensure you have the following Base-64 files available (example company names have been used, replace these names with the appropriate FQDN of your storage)
- fqdn.company.com.pk (Private Key file)
- fqdn.company.com.crt (Signed Certificate file)
2) use the CLI. Login as 'service' user (using the administrator account).
[user@localhost ~]$ ssh -l service emcunity
The authenticity of host 'emcunity (192.168.0.1)' can't be established.
RSA key fingerprint is SHA256:fPWth36tCDh+-r6e555+D4H43a44Iy4F4YMNfABCDefg.
RSA key fingerprint is MD5:8d:43:00:d3:ad:b3:3f:fg:62:2h:55:11:28:1e:aa:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'emcunity,192.168.0.1' (RSA) to the list of known hosts.
Welcome to EMC Unity
Password:
22:35:09 service@(none) spb:~>
3) Create two files in the current directory (homedir of 'service' user), place the contents of the Private Key in the fqdn.company.com.pk file and the contents of the signed certificate in the fqdn.company.com.crt file
22:37:29 service@(none) spb:~> vim fqdn.company.com.pk
22:38:00 service@(none) spb:~> vim fqdn.company.com.crt
- Note - only one certificate is supported, do not include the certificate chain (as this will result in errors when configuring the web service certificates), such as
4) Apply the new certificate
22:41:26 service@(none) spb:~> svc_custom_cert fqdn.company.com fqdn.company.com
Successfully installed custom certificate files.
Restarting web server ...
Common Errors
Certificate Chain not supported
If you include the certificate chain in the .crt file, it returns with an error about not supporting multiple certificates (I didn't capture the error unfortunately). Only include the Unity certificate.
Only relative pathnames supported
If you store the certs anywhere except the current directory ('service' account's homedir), it will be unable to open/copy the files. The utility only supports relative pathnames
22:40:45 service@(none) spb:~> svc_custom_cert /tmp/fqdn.company.com.pk /tmp/fqdn.company.com.crt
cp: cannot stat '/tmp/fqdn.company.optiver.com.pk.pk': No such file or directory
cp: cannot stat '/tmp/fqdn.company.optiver.com.pk.crt': No such file or directory
Don't specify file extensions
If you specify a filename extension, it fails. The utility only supports the filename without the extension- this seems more of a bug rather than a feature...
22:39:13 service@(none) spb:~> svc_custom_cert fqdn.company.com.pk fqdn.company.com.crt
cp: cannot stat '/home/service/fqdn.company.com.pk.pk': No such file or directory
cp: cannot stat '/home/service/fqdn.company.com.pk.crt': No such file or directory