Prepare client and root certificates

The Hitachi VSP requires a PKCS #12 client certificate with x509v3 extensions and a root CA certificate in X.509 format. The client certificate must be signed by a CA trusted by the CryptoHub. Follow the steps below to generate and prepare these certificates.

The client certificate must include x509v3 extensions. Certificates without these extensions will be silently rejected by the VSP. Ensure your OpenSSL configuration includes req_extensions and x509_extensions sections.

Generate a private key and CSR

On the SVP or a management workstation with OpenSSL installed, generate a 2048-bit RSA private key:

Bash

openssl genrsa -out client.key 2048

Create an OpenSSL configuration file (for example, openssl-vsp.cnf) that includes x509v3 extensions. At minimum, the configuration should include:

openssl-vsp.cnf

[req]
distinguished_name = req_dn
req_extensions = v3_req

[req_dn]
commonName = Hitachi VSP

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

Generate a CSR using the configuration file:

Bash

openssl req -new -key client.key -out client.csr -config openssl-vsp.cnf

Sign the CSR on the CryptoHub

Submit the client.csr to the CryptoHub’s Certificate Authority for signing.

The CryptoHub returns a signed client certificate (for example, client.crt) in PEM format.

Export the root CA certificate (cacert.pem) from the CryptoHub. This is the CA certificate that the VSP will use to verify the CryptoHub’s identity during the KMIP TLS handshake.

If you deployed a client endpoint, the KMIP server root CA certificate (Futurex Test Root CA (ECC).cer or Futurex Test Root SSL CA.cer) is already included in the endpoint zip. You can use either that file or the exported cacert.pem.

Convert the signed certificate to PKCS #12

Convert the signed certificate and private key into PKCS #12 format:

Bash

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

Set a password when prompted. You will need this password when importing the certificate into Storage Navigator.

After completing this step, you should have:

client.p12 — Client certificate in PKCS #12 format (required by the VSP)
cacert.pem — CryptoHub root CA certificate in X.509 PEM format

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Prepare client and root certificates

Generate a private key and CSR

Sign the CSR on the CryptoHub

Convert the signed certificate to PKCS #12

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Documentation Index

​Generate a private key and CSR

​Sign the CSR on the CryptoHub

​Convert the signed certificate to PKCS #12

Generate a private key and CSR

Sign the CSR on the CryptoHub

Convert the signed certificate to PKCS #12