Custom Certificates Upload
This document covers the custom certificates support for Zmanda Pro Self-hosted Deployments
The Zmanda Pro Self-hosted deployment package, by default, comes with self-signed certificates.
However, the Self-hosted deployment model allows you to upload custom certificates which obey the PEM-encoded X.509 certificate format. These certificates will be presented by the Zmanda Pro Server for all https connections. We recommend using an HTTPS certificate signed by an intermediate CA created by the certificate provider you use for your organization.
Pre-requisites
A Zmanda Pro Self-hosted server Instance
CA certificate: the intermediate CA used to sign the HTTPS Certificates
This certificate is to be in a file named
ca.crtunder thecerts/directory found in your Zmanda Pro Setup Package
HTTPS Certificate: the certificate that secures your FQDN on which you would access your Zmanda Pro Server UI from a web browser. This certificate should have a
root-prefixed FQDN as the Subject Alternative Name (SAN).
This certificate is to be in a file named
https.crtunder thecerts/directory found in your Zmanda Pro Setup Package
Example:
If your Zmanda Pro Server access FQDN is backup.zmanda.com, the https certificate securing this must have root-backup.zmanda.com as the Subject Alternative Name (SAN). This domain is used by the License Activator for patching upgrades and custom configurations.
HTTPS Key: the key used to digitally sign the above certificate to secure it.
This key is to be in a file named
https.keyunder thecerts/directory found in your Zmanda Pro Setup Package
(Optional) Codesign certificates
Additionally, you may also use a custom codesign certificate. This will be used to sign the Zmanda Pro Clients that you can download from your server under the Download Client Software tab.
To use custom codesign certificates, you’ll first need a codesign certificate pair i.e. the codesigning x509 certificate and the key i.e. the private signer for the certificate.
Generate a file named -
codesign.pass, with a password to encrypt the certificateGenerate the
codesign.pfxfile enveloping the codesign certificate and its corresponding key.The
codesign.pass&codesign.pfxfiles are to be placed under thecerts/directory found in your Zmanda Pro Setup Package
How to upload custom certificates?
Replace Certificates
Ensure your custom certificates are present in the
certs/directory before beginning the installation
Install & upload the custom certificates on the Zmanda Pro container
Run the setup installer as root user
Activate your License
If you’re running in an offline environment, contact Zmanda Sales to get your Zmanda Pro
License_ActivatorFor an online environment, you will be able to find the
License_Activatorinside your Zmanda Pro Setup Package.Place the activator in the
setup/directory & run as root
This will prompt you to enter the
unlock password. Enter the unlock password shared with you by the Zmanda Team.
NOTE: If you’re installing the Zmanda Pro Server for the first time, you will need to activate your server first before running the certs command
./Zmanda_License_Activator.run
Zmanda Pro Self-Signed Certificates
The self-hosted Zmanda Pro deployment, comes with self-signed certificates with the following configurations
ca.crt: This is the root CA and it has a validity of 5 years. The https & codesigning certificates are digitally signed by this CAhttps.crt: This certificate will prove the identity of the FQDN on which you access your server. It will also secure theroot-prefixed domain, configured as a Subject Alternative Name (SAN) for this certificate.
For example: CN: backup.zmanda.com SAN: root-backup.zmanda.com
The https.crt has a validity of 3 years
https.key: the private key which encrypts the above https certificate
If, at any instant, you decide to fall back to the self-signed certificates you may reset the certificates that the Zmanda Pro Server presents by running the following activator command
Last updated
Was this helpful?