Page tree
Skip to end of metadata
Go to start of metadata

Product Version: 10.3

Last Modified: 22 February 2021

Question

Can I use a custom CA-signed certificate for Transporters installed manually?

Answer

You can use a custom CA-signed certificate. However, the certificate must meet the following requirements:

  • The certificate must have the .pem file extension.
  • Both the certificate and private key must be contained in a single file.
  • The certificate must support only the RSA key.

    In case the certificate does not meet the requirements, the installation shall fail.

Creating And Setting Up CA-signed Certificate

Before NAKIVO Backup & Replication can use the Transporter, the Director needs to recognize the Transporter as secure. This process requires two certificates, one on the Director side and one on the Transporter side.

The process of creating and setting up certificates requires OpenSSL package which must be installed on Linux OS.

To create and set up a custom CA-signed certificate, do the following:

  1. Generate RSA key with the following commands:
    openssl genrsa -out rsa.key 2048
    openssl rsa -in rsa.key -noout -text
  2. Generate Certificate Signing Request (CSR) with the following commands:
    openssl req -new -key rsa.key -out rsa.csr
    openssl req -in rsa.csr -noout -text
  3. Generate CA Key and self-signed certificate with the following commands:
    openssl genrsa -out ca.key 2048
    openssl req -new -x509 -key ca.key -out ca.crt
  4. Perform the signing procedure with the following commands:
    openssl x509 -req -in rsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rsa.crt
    openssl x509 -in rsa.crt -noout -text
  5. Rename rsa.crt to rsa.pem.
  6. Create a separate file that includes both key and certificate with the following command:
    cat rsa.key rsa.pem > certkey.pem
  7. Rename ca.crt to CA-Certificate.pem and put it /opt/nakivo/director/userdata.

    Important

    The name of the certificate file to be put in the userdata folder cannot be anything other than CA-Certificate.pem.

  8. Run the following command:
    chmod 755 CA-Certificate.pem
  9. Restart Director Service with the following command:
    systemctl restart nkv-dirsvc
  10. Perform Transporter installation described here and specify path to the certkey.pem.


  • No labels