Creating and Installing Custom CA-Signed Certificate

Product version: 10.6

Last modified: 25 January 2022

Question

How do I create and install a custom CA-signed certificate for Transporter?

Answer

Before NAKIVO Backup & Replication can use the Transporter, the Director needs to recognize the Transporter as secure. This process requires two certificates, one on the Director side and one on the Transporter side.

Note
The process of creating and setting up certificates requires OpenSSL package which must be installed on Linux OS.

Creating CA-signed Certificate

To create and set up a custom CA-signed certificate, do the following:

1. Generate RSA key with the following commands:
   

   openssl genrsa -out rsa.key 2048
   

   openssl rsa -in rsa.key -noout -text

2. Generate Certificate Signing Request (CSR) with the following commands:
   

   openssl req -new -key rsa.key -out rsa.csr
   

   openssl req -in rsa.csr -noout -text

3. Generate CA Key and self-signed certificate with the following commands:
   

   openssl genrsa -out ca.key 2048
   

   openssl req -new -x509 -key ca.key -out ca.crt

4. Perform the signing procedure with the following commands:
   

   openssl x509 -req -in rsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rsa.crt
   

   openssl x509 -in rsa.crt -noout -text

5. Rename rsa.crt to rsa.pem.

6. Create a separate file that includes both key and certificate with the following command:
   

   cat rsa.key rsa.pem > certkey.pem

7. Rename ca.crt to  CA-Certificate.pem.

Installing CA-signed Certificate

To install a custom CA-signed certificate created using the method described above or prepared beforehand, do the following:

1. Rename your certificate file to CA-Certificate.pem and put it in the /opt/nakivo/director/userdata folder.

   Important
   The name of the certificate file to be put in the userdata folder cannot be anything other than CA-Certificate.pem.

2. Run the following command:
   

   chmod 755 CA-Certificate.pem

3. Restart Director Service with the following command:
   

   systemctl restart nkv-dirsvc

4. Perform Transporter installation described here and specify path to the certkey.pem.