Custom Object Gateway SSl/TLS Certificate: Difference between revisions
mNo edit summary |
m Qadmin moved page Custom S3 SSl/TLS Certificate to Custom Object Gateway SSl/TLS Certificate |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
When configuring QuantaStor scale-out clusters with an object storage zone it is important to setup a SSL/TLS | When configuring QuantaStor scale-out clusters with an object storage zone it is important to setup a SSL/TLS certificate to associate with the S3 gateway (CephRGW) so that clients connecting are able to validate the certificate against either an internal or public certificate authority (CA). This article goes into the procedure for making a SSL certificate using OpenSSL. In the configuration of the openssl setting one will set a series of 'Alt Names' or 'Subject Alt Names' which identifies all the FQDNs for all the ports on all the QuantaStor systems that make up the cluster and any floating cluster wide FQDNs that my be used to access the S3 gateways as well as any IP addresses used to access the S3 gateways. If you are pre-planning a deployment we highly recommend gather this information and generating the certificates ahead of time. | ||
== S3 Certificate CSR generation and signing using Windows AD/Certificate Authority == | |||
=== Prepare Certs Directory === | |||
Start by creating a empty directory to store the certificates to be generated. | |||
<pre> | <pre> | ||
mkdir s3_adtest_osnexus_net_crt | mkdir s3_adtest_osnexus_net_crt | ||
cd s3_adtest_osnexus_net_crt | cd s3_adtest_osnexus_net_crt | ||
</pre> | </pre> | ||
create a file named openssl.cnf that contains the proper values for your site, and the Subject Alt Names you wish to have match | === Create OpenSSL Configuration File === | ||
Next create a file named openssl.cnf that contains the proper values for your site, and the '''Subject Alt Names''' you wish to have match FQDN to IP mappings in your DNS. Here's an example openssl configuration file (save as openssl.cnf), you can start with this one and edit the values to match your organization. Be sure to change all the values under '''[ alt_names ]''' and under '''[ req_distinguished_name ]''' to match the settings for your organization : | |||
<pre> | <pre> | ||
[ req ] | [ req ] | ||
default_bits = 2048 | default_bits = 2048 | ||
| Line 50: | Line 53: | ||
</pre> | </pre> | ||
generate a server key | === Generate Server Key === | ||
This will generate a new server key we'll use to make a CSR from in the next step. | |||
<pre> | <pre> | ||
| Line 56: | Line 61: | ||
</pre> | </pre> | ||
generate a | === Generate Certificate Signing Request (CSR) === | ||
Here we use the server key with the openssl.cnf configuration file to generate a CSR: | |||
<pre> | <pre> | ||
| Line 62: | Line 69: | ||
</pre> | </pre> | ||
review the CSR | === Verify / Validate CSR === | ||
Next review the generated CSR to ensure it accurately contains the correct settings: | |||
<pre> | <pre> | ||
| Line 68: | Line 76: | ||
</pre> | </pre> | ||
=== Submit CSR to Certificate Authority === | |||
for Windows AD/Certificate Authority, install and deploy the | Next take the CSR and submit it to your Certificate Authority. Refer to the Certificate Authorities documentation for signing the CSR and generating a server cert and CA chain. For Windows AD/Certificate Authority, install and deploy the Windows Certificate Authority role with the Certificate Authority web portal options. This should give you a new path to submit CSRs to under http://<AD Server IP>/certsrv | ||
Follow the onscreen prompts on the Windows Active Directory (AD) Certificate Authority page to submit the CSR and request a signed certificate. When the certificate is available for download you can download it in DER format (X. 509 digital certificate encoded in binary) or in Base64 format. If you download it in DER format we can convert it after the fact. | |||
If the .cer file is already in base64 encoded PEM format, you can simply rename it to .pem or proceed to the next step. | |||
=== Converting DER certificates to Base64 pem Format === | |||
This shows how to take a DER formatted files (certnew.p7b & certnew.cer) from your Certificate Authority to produce a certificate chain (cert_chain.pem) and certificate files in PEM format for use in the S3 Gateway: | |||
<pre> | <pre> | ||
openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem | openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem | ||
</pre> | |||
Next we'll .cer file from the produced certificate (certnew.cer) to convert it to PEM format: | |||
<pre> | |||
openssl x509 -inform der -in certnew.cer -out certnew.pem | openssl x509 -inform der -in certnew.cer -out certnew.pem | ||
</pre> | </pre> | ||
rename the certificate authority chain file to a clearer name | Next we'll rename the certificate authority chain file to a clearer name: | ||
<pre> | <pre> | ||
cp cert_chain.pem adtest_osnexus_net.pem | cp cert_chain.pem adtest_osnexus_net.pem | ||
</pre> | </pre> | ||
Next ensure your private key is now in PEM format, it should look like this in a text editor with BEGIN and END blocks showing the key in Base64 format: | |||
<pre> | |||
-----BEGIN PRIVATE KEY----- | |||
(Your private key here) | |||
-----END PRIVATE KEY----- | |||
</pre> | |||
=== DER to PEM Format Conversion (optional) === | |||
If your private key is in DER format, convert it to PEM using the following command: | |||
<pre> | |||
openssl rsa -inform DER -outform PEM -in derformat.key -out s3_adtest_osnexus_net.key | |||
</pre> | |||
Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key. | |||
=== Concatenate the Private Key, Certificate, and Chain === | |||
You want to have the private key at the beginning of your PEM file followed by your certificate and then the certificate chain. Use the `cat` command to concatenate them in this order: | |||
<pre> | |||
cat s3_adtest_osnexus_net.key certnew.pem cert_chain.pem > s3_adtest_osnexus_net.pem | |||
</pre> | |||
Replace `myprivatekey.pem` with your private key file, `certnew.pem` with your certificate file, and `cert_chain.pem` with your certificate chain file. The combined file `combined_with_key.pem` will contain all three components. | |||
=== Verify the Contents === | |||
You can check the contents of the final PEM file to ensure all parts are included correctly: | |||
<pre> | |||
openssl x509 -in s3_adtest_osnexus_net.pem -text -noout | |||
</pre> | |||
This command will display the certificate details. You won't be able to view the private key this way (and you shouldn't be able to), but you can open the PEM file in a text editor to ensure the private key and certificates are present. | |||
=== Applying Cert at Creation of S3 Gateways === | |||
When creating new S3 Gateways in QuantaStor there's an option to provide a PEM file at that time and there you'll want to specify the 's3_adtest_osnexus_net.pem' file you've generated. | |||
=== Applying Cert to Existing S3 Gateways === | |||
Copy your certificate to '''/etc/ceph/ceph_<HOSTNAME>_radosgw.pem''' where '''<HOSTNAME>''' needs to be replace with the local host hostname which you can also get by running 'hostname' then restart the S3 gateway (radosgw) services with this command: | |||
<pre> | |||
systemctl restart ceph-radosgw@*.service | |||
</pre> | |||
=== Updating Clients === | |||
On your S3 client systems/hosts insert the CA's cert chain file if not already present. For example, on a Ubuntu 20.04 based system you can use the following commands to add the cert chain: | |||
<pre> | <pre> | ||
| Line 138: | Line 163: | ||
</pre> | </pre> | ||
Note, you may need to break the cert file up into | Note, you may need to break the cert file up into separate files depending on the length of the cert chain. | ||
test the certificate from a client | === Test the Certificate === | ||
Finally, it is important to test the certificate from a client to verify it via openssl to ensure there are no configuration errors or other issues. The '''curl''' and openssl utilities for both good for this: | |||
<pre> | <pre> | ||
curl https://<FQDN of server>:<port> | curl https://<FQDN of server>:<port> | ||
</pre> | |||
Additionally if your client has openssl installed you can use it to print out the certificate from the S3 gateway, be sure to replace <FQDN of server> with your fqdn like s3.example.com and the <port> is typically 8580 which is the default load balancer port number on QuantaStor systems: | |||
<pre> | |||
echo -n | openssl s_client -showcerts -connect <FQDN of server>:<port> | echo -n | openssl s_client -showcerts -connect <FQDN of server>:<port> | ||
</pre> | </pre> | ||
Latest revision as of 03:10, 3 April 2025
When configuring QuantaStor scale-out clusters with an object storage zone it is important to setup a SSL/TLS certificate to associate with the S3 gateway (CephRGW) so that clients connecting are able to validate the certificate against either an internal or public certificate authority (CA). This article goes into the procedure for making a SSL certificate using OpenSSL. In the configuration of the openssl setting one will set a series of 'Alt Names' or 'Subject Alt Names' which identifies all the FQDNs for all the ports on all the QuantaStor systems that make up the cluster and any floating cluster wide FQDNs that my be used to access the S3 gateways as well as any IP addresses used to access the S3 gateways. If you are pre-planning a deployment we highly recommend gather this information and generating the certificates ahead of time.
S3 Certificate CSR generation and signing using Windows AD/Certificate Authority
Prepare Certs Directory
Start by creating a empty directory to store the certificates to be generated.
mkdir s3_adtest_osnexus_net_crt cd s3_adtest_osnexus_net_crt
Create OpenSSL Configuration File
Next create a file named openssl.cnf that contains the proper values for your site, and the Subject Alt Names you wish to have match FQDN to IP mappings in your DNS. Here's an example openssl configuration file (save as openssl.cnf), you can start with this one and edit the values to match your organization. Be sure to change all the values under [ alt_names ] and under [ req_distinguished_name ] to match the settings for your organization :
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req [ req_distinguished_name ] C = US ST = Washington L = Bellevue O = OSNEXUS Development OU = s3 services [ req_ext ] subjectAltName = @alt_names [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = s3.adtest.osnexus.net DNS.2 = cg-631f-201.adtest.osnexus.net DNS.3 = cg-631f-202.adtest.osnexus.net DNS.4 = cg-631f-203.adtest.osnexus.net DNS.5 = vif205.adtest.osnexus.net DNS.6 = vif206.adtest.osnexus.net DNS.7 = vif207.adtest.osnexus.net IP.1 = 10.0.12.201 IP.2 = 10.0.12.202 IP.3 = 10.0.12.203 IP.4 = 10.0.12.205 IP.5 = 10.0.12.206 IP.6 = 10.0.12.207
Generate Server Key
This will generate a new server key we'll use to make a CSR from in the next step.
openssl genrsa -out s3_adtest_osnexus_net.key 2048
Generate Certificate Signing Request (CSR)
Here we use the server key with the openssl.cnf configuration file to generate a CSR:
openssl req -new -out s3_adtest_osnexus_net.csr -key s3_adtest_osnexus_net.key -config openssl.cnf
Verify / Validate CSR
Next review the generated CSR to ensure it accurately contains the correct settings:
openssl req -in s3_adtest_osnexus_net.csr -noout -text
Submit CSR to Certificate Authority
Next take the CSR and submit it to your Certificate Authority. Refer to the Certificate Authorities documentation for signing the CSR and generating a server cert and CA chain. For Windows AD/Certificate Authority, install and deploy the Windows Certificate Authority role with the Certificate Authority web portal options. This should give you a new path to submit CSRs to under http://<AD Server IP>/certsrv
Follow the onscreen prompts on the Windows Active Directory (AD) Certificate Authority page to submit the CSR and request a signed certificate. When the certificate is available for download you can download it in DER format (X. 509 digital certificate encoded in binary) or in Base64 format. If you download it in DER format we can convert it after the fact.
If the .cer file is already in base64 encoded PEM format, you can simply rename it to .pem or proceed to the next step.
Converting DER certificates to Base64 pem Format
This shows how to take a DER formatted files (certnew.p7b & certnew.cer) from your Certificate Authority to produce a certificate chain (cert_chain.pem) and certificate files in PEM format for use in the S3 Gateway:
openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem
Next we'll .cer file from the produced certificate (certnew.cer) to convert it to PEM format:
openssl x509 -inform der -in certnew.cer -out certnew.pem
Next we'll rename the certificate authority chain file to a clearer name:
cp cert_chain.pem adtest_osnexus_net.pem
Next ensure your private key is now in PEM format, it should look like this in a text editor with BEGIN and END blocks showing the key in Base64 format:
-----BEGIN PRIVATE KEY----- (Your private key here) -----END PRIVATE KEY-----
DER to PEM Format Conversion (optional)
If your private key is in DER format, convert it to PEM using the following command:
openssl rsa -inform DER -outform PEM -in derformat.key -out s3_adtest_osnexus_net.key
Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key.
Concatenate the Private Key, Certificate, and Chain
You want to have the private key at the beginning of your PEM file followed by your certificate and then the certificate chain. Use the `cat` command to concatenate them in this order:
cat s3_adtest_osnexus_net.key certnew.pem cert_chain.pem > s3_adtest_osnexus_net.pem
Replace `myprivatekey.pem` with your private key file, `certnew.pem` with your certificate file, and `cert_chain.pem` with your certificate chain file. The combined file `combined_with_key.pem` will contain all three components.
Verify the Contents
You can check the contents of the final PEM file to ensure all parts are included correctly:
openssl x509 -in s3_adtest_osnexus_net.pem -text -noout
This command will display the certificate details. You won't be able to view the private key this way (and you shouldn't be able to), but you can open the PEM file in a text editor to ensure the private key and certificates are present.
Applying Cert at Creation of S3 Gateways
When creating new S3 Gateways in QuantaStor there's an option to provide a PEM file at that time and there you'll want to specify the 's3_adtest_osnexus_net.pem' file you've generated.
Applying Cert to Existing S3 Gateways
Copy your certificate to /etc/ceph/ceph_<HOSTNAME>_radosgw.pem where <HOSTNAME> needs to be replace with the local host hostname which you can also get by running 'hostname' then restart the S3 gateway (radosgw) services with this command:
systemctl restart ceph-radosgw@*.service
Updating Clients
On your S3 client systems/hosts insert the CA's cert chain file if not already present. For example, on a Ubuntu 20.04 based system you can use the following commands to add the cert chain:
cp adtest_osnexus_net.pem /usr/local/share/ca-certificates/ update-ca-certificates
Note, you may need to break the cert file up into separate files depending on the length of the cert chain.
Test the Certificate
Finally, it is important to test the certificate from a client to verify it via openssl to ensure there are no configuration errors or other issues. The curl and openssl utilities for both good for this:
curl https://<FQDN of server>:<port>
Additionally if your client has openssl installed you can use it to print out the certificate from the S3 gateway, be sure to replace <FQDN of server> with your fqdn like s3.example.com and the <port> is typically 8580 which is the default load balancer port number on QuantaStor systems:
echo -n | openssl s_client -showcerts -connect <FQDN of server>:<port>