Replacing the Pure Storage FlashArray Management Certificate
Maintaining Certificates in your environments is an important thing to do to make connections between your client and server are encrypted. With this blog we will go over how to replace your Pure Storage FlashArray Management Certificate using a Microsoft Certificate Authority.
Not only is it a good thing to replace your certificates for security reasons, but your administrators who interact with the storage array will thank you for not having them to be presented with this screen every time they try to access the UI.
Construct Certificate Signing Request
When it comes to creating a Certificate Signing Request (CSR) we can do this either through the UI or the CLI.
When you create a CSR you will be prompted for the following items whether the UI or CLI method is used.
When you click Create the CSR will be created and you can either Copy or Download the CSR.
There is currently a known issue where the Common Name is not added to the Subject Alternate Name (SAN) in the Certificate Request causing browser errors to still appear, we will cover a workaround in the next section
Request a Certificate Using the CSR from Microsoft Certificate Authority
With our CSR in hand we can navigate to our Certificate Authority to request a certificate. You can access the certificate request UI usually by navigating to https://FQDN/certsrv
We will click on Request a certificate and then advanced certificate request. As mentioned earlier, the SAN will not contain Common Name but with the Certificate Request we can easily add in the Additional Attributes to include it:
1san:dns=david-fa1.newstack.local
In order to have the SAN added to the certificate you must run the following commands on your certificate Authority.
1certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
2net stop certsvc
3net start certsvc
Click on Submit and download the certificate as Base 64 encoded
Replacing the Management Certificate
Once you have your certificate you can navigate back to the UI or CLI and import the certificate.
If using the CLI “^D” is equivalent to “Ctrl+D”
Conclusion
Replacing certificates is always a great idea! The FlashArray Management certificate is not the only certificate that needs replacing on the FlashArray. Stay tuned for more information on how to replace the vStorage APIs for Storage Awareness (VASA) certificate!
comments powered by Disqus