Skip to main content
Sign each per-node CSR from Nutanix using the CryptoHub Certificate Authority. Export the signed certificate/s — you will upload these to Prism Element in the next step.

Sign a node CSR

Repeat the following steps for each CSR file downloaded from Prism Element.
1
In the CryptoHub web UI, go to PKI and CA > Certificate Management.
2
Expand the Client App TLS CA X.509 Certificate Container and CryptoHub CA tree.
3
For each node, locate the Nutanix certificate that CryptoHub generated when you deployed the client endpoints in the previous step. Record its name—you’ll use it as the Common Name (CN) when issuing the node certificate from the CSR. Then delete the certificate, since the replacement you issue must reuse that exact name.
4
Right-click the CryptoHub CA certificate and select Add Certificate > From Request.
5
In the CSR dialog, click Browse and select the CSR file for the node you are signing.
6
In the Subject DN tab, change the Common Name (CN) value to match the name of the certificate you noted earlier.
7
In the Basic Info tab, leave all default values.
8
In the V3 Extensions tab, select the TLS Client Certificate profile.
9
Click [ OK ] to issue the certificate.
Repeat these steps for every CSR file in the csrs.zip archive. Each CVM node requires a separately signed certificate.

Export signed node certificate/s

Export each signed certificate individually in PEM format.
1
Go to PKI and CA > Certificate Management.
2
Expand the Client App TLS CA tree and locate a signed node certificate you issued.
3
Right-click the certificate and select Export > Certificate(s).
4
Set the encoding to PEM.
5
Click [ Browse ], enter a filename that identifies the node (for example, node1-signed.pem), and click [ OK ].
6
Click [ OK ] to download the file.
Repeat for each signed node certificate. Keep track of which certificate corresponds to which CVM node — you will upload them individually in Prism Element.
The client endpoint zip you downloaded in the previous section contains the KMIP server root CA certificate (Futurex Test Root CA (ECC).cer or Futurex Test Root SSL CA.cer). Nutanix uses this certificate to validate the CryptoHub’s identity during the mTLS handshake. You will upload it when configuring the Certificate Authority in Prism Element in the next section.