cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2660
Views
5
Helpful
1
Replies

SSL CSR Generation on Tetration Cluster

Hi all,

 

Has anyone managed to generate a CSR for the purposes of generating a SSL cert from the cluster front end?

I'm trying to eliminate the SSL bypass browser message by having a signed / trusted cert for the web interface upon logon, and I can't seem to find any references on how to do this for Tetration.

 

Thanks

 

 

1 Reply 1

Lawrence Searcy
Cisco Employee
Cisco Employee

Currently, there is no CSR generation on Tetration Analytics. An enhancement has been filed

 

CSCvk19114    UI should generate Certificate Signing Request (CSR) for SSL certificate

 

There is also a request to improve documentation

 

CSCvk19113    SSL configuration needs better examples and explanations for non-certificate users

 

Here is the process for adding a certificate. There is additional information in the user guide on the system.

 

Step 1: Create your own PEM certificate from a Microsoft Certificate Authority or openssl for a local certificate. Or buy a global certificate from one of the SSL certificate authorities.

Step 2: Install the received X509 PEM certificate with the private key into the Tetration GUI. The Tetration GUI has the following fields:

NAME: This can be any name for the certificate key pair. This name is for your benefit when looking for which SSL certificate is installed in the Tetration GUI.

X509 Certificate: This field takes an X509 certificate in PEM (Privacy Enhanced Mail) format. If your certificate requires an intermediary CA bundle, concatenate the CA bundle after your certificate so that the leaf certificate for this domain is in the beginning of the certificate chain. For example, open domain_name.crt and domain_name.ca-bundle files using any text editor. Next, copy all the content of domain_name.crt and paste it at the top of the domain_name.ca-bundle file. Save the file with a unique name with any extension (.txt, .key., .cert, or .pem)

The PEM certificate will look like

-----BEGIN CERTIFICATE-----
MIIB9TCCCiSCObgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlGYUINMVBSERTVYUgNVBAFdoeSBhcmUgeW91IGRl
<SNIP Several Lines>
ozakE+8p06BpxegR4BR3Hf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEBcdertyQG8drorw==
-----END CERTIFICATE------

The PEM files always have header and footer lines to distinguish which PEM object it is, such as

-----BEGIN RSA PRIVATE KEY-----
<DATA>
-----END RSA PRIVATE KEY-----

Which show a private key in PEM format. And

-----BEGIN CERTIFICATE-----
<DATA>
-----END CERTIFICATE------

Which show a certificate file in PEM format.

RSA Private Key: This field should contain the matching private key for the public key signed in the certificate above.

Review Cisco Networking for a $25 gift card