Replacing the Pure Storage FlashArray Management Certificate

Published on March 31, 2020 under Pure Storage · Tagged Certificates and FlashArray · Read in about 2 min (377 words)

Maintaining Certificates in your environments is an important thing to do to make connections between your client and server are encrypted. With this blog we will go over how to replace your Pure Storage FlashArray Management Certificate using a Microsoft Certificate Authority.

Not only is it a good thing to replace your certificates for security reasons, but your administrators who interact with the storage array will thank you for not having them to be presented with this screen every time they try to access the UI.

Construct Certificate Signing Request

When it comes to creating a Certificate Signing Request (CSR) we can do this either through the UI or the CLI.

When you create a CSR you will be prompted for the following items whether the UI or CLI method is used.

When you click Create the CSR will be created and you can either Copy or Download the CSR.

There is currently a known issue where the Common Name is not added to the Subject Alternate Name (SAN) in the Certificate Request causing browser errors to still appear, we will cover a workaround in the next section

Request a Certificate Using the CSR from Microsoft Certificate Authority

With our CSR in hand we can navigate to our Certificate Authority to request a certificate. You can access the certificate request UI usually by navigating to https://FQDN/certsrv

We will click on Request a certificate and then advanced certificate request. As mentioned earlier, the SAN will not contain Common Name but with the Certificate Request we can easily add in the Additional Attributes to include it:

san:dns=david-fa1.newstack.local

In order to have the SAN added to the certificate you must run the following commands on your certificate Authority.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Click on Submit and download the certificate as Base 64 encoded

Replacing the Management Certificate

Once you have your certificate you can navigate back to the UI or CLI and import the certificate.

If using the CLI “^D” is equivalent to “Ctrl+D”

Conclusion

Replacing certificates is always a great idea! The FlashArray Management certificate is not the only certificate that needs replacing on the FlashArray. Stay tuned for more information on how to replace the vStorage APIs for Storage Awareness (VASA) certificate!

Share this post
comments powered by Disqus

See Also