Sign node CSRs on the CryptoHub

Sign each per-node CSR from Nutanix using the CryptoHub Certificate Authority. Export the signed certificates and the CA certificate — you will upload all of these to Prism Element in the next step.

Sign a node CSR

Repeat the following steps for each CSR file downloaded from Prism Element.

In the CryptoHub web UI, go to PKI and CA > Certificate Management.

Expand the Client App TLS CA tree for the Generic KMIP service you deployed.

Right-click the CA certificate under the Generic KMIP service and select Add Certificate > From Request.

In the CSR dialog, click Browse and select the .csr file for the node you are signing.

In the Subject DN tab, verify the Common Name reflects the node identifier from the CSR.

In the Basic Info tab, leave all default values.

In the V3 Extensions tab, select the TLS Client Certificate profile.

Click [ OK ] to issue the certificate.

Repeat these steps for every CSR file in the csrs.zip archive. Each CVM node requires a separately signed certificate.

Export signed node certificates

Export each signed certificate individually in PEM format.

In PKI and CA > Certificate Management, locate a signed node certificate you issued.

Right-click the certificate and select Export > Certificate(s).

Set the encoding to PEM.

Click [ Browse ], enter a filename that identifies the node (for example, node1-signed.pem), and click [ OK ].

Click [ OK ] to download the file.

Repeat for each signed node certificate. Keep track of which certificate corresponds to which CVM node — you will upload them individually in Prism Element.

Export the CA certificate

Export the CA certificate that signed the node certificates. Nutanix uses this certificate to validate the CryptoHub’s identity during the mTLS handshake.

In PKI and CA > Certificate Management, locate the CA certificate under the Generic KMIP service.

Right-click the CA certificate and select Export > Certificate(s).

Set the encoding to PEM and save the file as cacert.pem.

Click [ OK ] to download the file.

After completing these steps, you should have the following files ready for upload to Nutanix:

One signed .pem certificate per CVM node
One cacert.pem CA certificate

If you deployed a client endpoint in the previous step, the KMIP server root CA certificate (Futurex Test Root CA (ECC).cer or Futurex Test Root SSL CA.cer) is already included in the endpoint zip. You can use either that file or the cacert.pem exported here when configuring the Certificate Authority in Prism Element.

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Sign a node CSR

Export signed node certificates

Export the CA certificate

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Documentation Index

​Sign a node CSR

​Export signed node certificates

​Export the CA certificate

Sign a node CSR

Export signed node certificates

Export the CA certificate