Nexus Dashboard – Certificate Install

`

Table of Contents:

  1. Introduction
  2. Requirements
  3. Populating the information
  4. Getting the required information
    4.a Generate Private Key
    4.b Self Signed only: Generate CA Key
    4.c Self Signed Only: Generate CSR for CA
    4.d Self Signed Only: Create the Self CA signed rootCertificate
    4.e Generate your csr (signed with your private key)
    4.f Obtain your signed Certificate
    4.g Verify the Certificate obtained
  5. References

    Introduction

    This article will show you how to install certificate for Nexus Dashboard. I will demonstrate how to add a self signed certifiacte and also a CA verified Certifcate at the same time. The steps that can be ommitted for the CA verifed Certificate will be marked clearly.

    Requirements

    • If you need to generate the keys/certificates, you will need any platform that has linux base OS, MAC. You could also ssh in to the ND with rescue-user to perform these steps there.
    • You will also need openssl utility which is almost always present all the time. If not just use apt/yum/brew to install.
    • ⚠️ You need a take a backup of your ND just in case

    Populating the information.

    Start Populating the Information in the ND UI if you already have the below information:
    nd.key — your private key
    nd.crt — your CA signed certificate
    ca.crt — CAs Public Certificate

📗 Note: the contents that you will need to paste in can be copied to buffer and pasted in. You can do a cat command to view the contents and copy to buffer. e.g. cat nd.key, cat nd.crt, cat ca.crt

If you don’t have the above keys and certificates, then, go to Getting the required information section that will show you how to obtain the above information and come back to this.

On the ND Screen, go to Administrative/Security and click on the Edit button

file
Figure 1: Security Settings.

On the Next screen populate with the following:

  1. Key: Paste Your Pivate Key Contents
  2. RSA Certificate: Put Your CA signed or Self Signed Certificate Contents
  3. Root Certificate: Put the CA Certificate (Real CA or Self CA) contents here. Also populate Intermediate Certificate contents if there is one and click on Save

file
file
file
Figure 2: Populating the information on ND UI

That’s all there is to it. The UI of the ND will reload and you should be able to get back in after a few moments from your browser.

Getting the required information

Generate Private Key
openssl genrsa -out nd.key 2048

you will now see the key in the directory.
file
Figure 3: Generating the Private Key

Self Signed only: Generate CA Key

Skip this step if you are going to use a real CA.

openssl genrsa -out ca.key 2048

file
Figure 4: Generating the CA Key

Self Signed Only: Generate CSR for CA

Skip this step if you are going to use a real CA.

openssl req -new -key ca.key -subj "/CN=Self/C=US/O=Private/ST=Texas" -out ca.csr

You will now also see a ca.csr
file
Figure 5: Generating the CA csr

💡Optional: you can see the contents of the csr with the command:

openssl req -in ca.csr -text -noout
Self Signed Only: Create the Self CA signed root Certificate

Skip this step if you are going to use a real CA.

openssl x509 -req -in ca.csr -signkey ca.key -CAcreateserial -out ca.crt -days 3650

You will now also see a ca.crt
file
Figure 6: Generating the Private CA root certificate

💡Optional: you can see the contents of the Private CA certificate with the command:

openssl x509 -in ca.crt -text -noout
Generate your csr (signed with your private key)

First create a csr.cfg file, so you can pass in the required information. You can copy and paste the below and modify based on your requirements.

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
countryName = US
stateOrProvinceName = Texas
localityName = Plano
organizationName = CSS
organizationalUnitName = DC
commonName = nd.dc.css
emailAddress = no-reply@mydomain.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.dc.css
IP.1 = 10.0.0.96
IP.2 = 10.0.0.97

Next, generate your csr

openssl req -new -key nd.key  -out nd.csr  -config csr.cfg

You will now also see a nd.csr
file
Figure 7: Generating your CSR

💡Optional: you can see the contents of the csr with the command:

openssl req -in nd.csr -text -noout
Obtain your signed Certificate

For a production deployment you will want to go with a Public CA authority for example DigiCert, Entrust Datacard, Globalsign,GoDaddy, Let’s Encrypt, Sectigo etc.

You will have to submit your CSR to the CA and the CA will verify your identity and issue you a signed certificate based on your csr.

For the Self Signed option you will have to generate your own singed certificate using the generated csr and the self generated ca.key and ca.crt

openssl x509 -req -in nd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nd.crt -days 3600

You will now have the certificate file nd.crt
file
Figure 8: obtaining the certificate

Verify the Certificate obtained

It’s probably a good idea to verify the certifate was:

  • signed properly

    openssl verify --verbose -CAfile ca.crt nd.crt

    file
    Figure 9: Certificate was signed properly

  • the hashes for the key and crt match

openssl x509 -modulus -noout -in nd.crt | shasum
openssl rsa -modulus -noout -in nd.key | shasum

file
Figure 10: shasum hash check

openssl x509 -modulus -noout -in nd.crt | md5sum
openssl rsa -modulus -noout -in nd.key | md5sum

file
Figure 11: md5sum hash check

  • contents are correct, including expiration date
    openssl  x509 -in  nd.crt -text -noout

    file
    Figure 12: Verifying contents of certificate

Now, you have all the 3 items you need to install the certificates.

nd.key — your private key
nd.crt — your CA signed certificate
ca.crt — CAs Public Certificate

file
Figure 13: Obtained all items needed to install cert in ND

While copying the contents, please make sure to include the headers as shown below in the boxed red.

file
Figure 14: Contents of ca.crt to be pasted in Root Certifcate Area

file
Figure 15: Contents of nd.crt to be pasted in RSA Certificate Area

file
Figure 16: Contents of nd.key to be pasted in the Key Area

⚠️ Make sure to store these files in safe place.

Now, go to Populating the information Section for reference.

References
  • ND Deployment Guides, Data Sheets, Release Notes, Compatibilty Guides, Install and Upgrade        💡ND Documentation
  • Go To TOP


    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.