Product Version: 10.3
Last Modified: 22 February 2021
Can I use a custom CA-signed certificate for Transporters installed manually?
You can use a custom CA-signed certificate. However, the certificate must meet the following requirements:
- The certificate must have the
- Both the certificate and private key must be contained in a single file.
The certificate must support only the RSA key.
In case the certificate does not meet the requirements, the installation shall fail.
Creating And Setting Up CA-signed Certificate
Before NAKIVO Backup & Replication can use the Transporter, the Director needs to recognize the Transporter as secure. This process requires two certificates, one on the Director side and one on the Transporter side.
The process of creating and setting up certificates requires OpenSSL package which must be installed on Linux OS.
To create and set up a custom CA-signed certificate, do the following:
- Generate RSA key with the following commands:
openssl genrsa -out rsa.key 2048
openssl rsa -in rsa.key -noout -text
- Generate Certificate Signing Request (CSR) with the following commands:
openssl req -new -key rsa.key -out rsa.csr
openssl req -in rsa.csr -noout -text
- Generate CA Key and self-signed certificate with the following commands:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
- Perform the signing procedure with the following commands:
openssl x509 -req -in rsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rsa.crt
openssl x509 -in rsa.crt -noout -text
- Rename rsa.crt to rsa.pem.
- Create a separate file that includes both key and certificate with the following command:
cat rsa.key rsa.pem > certkey.pem
Rename ca.crt to CA-Certificate.pem and put it /opt/nakivo/director/userdata.
The name of the certificate file to be put in the userdata folder cannot be anything other than CA-Certificate.pem.
- Run the following command:
chmod 755 CA-Certificate.pem
- Restart Director Service with the following command:
systemctl restart nkv-dirsvc
- Perform Transporter installation described here and specify path to the certkey.pem.