Skip to main content
Delphix

How to Request and Install a Custom HTTPS Certificate using the CLI (KBA1730)

 

Applicable Delphix Versions

 

Major Release

All Sub Releases

5.2 5.2.4.0,5.2.5.0

Issue

The self-signed certificate is not suitable to be used in the company, which requires a properly signed certificate by the internal CA

Resolution

Connect to the Delphix engine using the delphix_admin user via CLI (SSH):

hostname.domainname> service tls csr
hostname.domainname service tls csr> create
hostname.domainname service tls csr create *> ls
Properties
   type: CertificateSigningRequestCreateParameters
   dname:
       type: X500DistinguishedNameComposite
       dname: (required)
  :
       type: EndEntityHttps
   forceReplace: false
   keyPair:
       type: RsaKeyPair
       keySize: 2048
       signatureAlgorithm: SHA256withRSA

A composite subject name or at least the commonName(CN) must be provided if the fields are entered manually:

hostname.domainname service tls csr create *> set dname.dname="CN=Delphix CA, O=Delphix, C=US"
hostname.domainname service tls csr create *> ls
Properties
   type: CertificateSigningRequestCreateParameters
   dname:
       type: X500DistinguishedNameComposite (*)
       dname: CN=Delphix CA, O=Delphix, C=US (*)
hostname.domainname service tls csr create *> set dname.type=X500DistinguishedNameFields
hostname.domainname service tls csr create *> set dname.commonName="Delphix CA"
hostname.domainname service tls csr create *> ls
Properties
   type: CertificateSigningRequestCreateParameters
   dname:
       type: X500DistinguishedNameFields (*)
       city: (unset)
       commonName: Delphix CA (*)
       country: (unset)
       organization: (unset)
       organizationUnit: (unset)
       stateRegion: (unset)

Commit, select the request using the reference and copy and paste requestInPem into a file, this will be the CSR that needs to be signed by the CA:

hostname.domainname service tls csr create *> commit
    `CERTIFICATE_SIGNING_REQUEST-2
hostname.domainname service tls csr> select CERTIFICATE_SIGNING_REQUEST-2
hostname.domainname service tls csr 'CN=Delphix CA, O=Delphix, C=US'> ls
Properties
    type: CertificateSigningRequest
    name: CN=Delphix CA, O=Delphix, C=US
    endEntity:
        type: EndEntityHttps
    keyPair:
        type: RsaKeyPair
        keySize: 2048
        signatureAlgorithm: SHA256withRSA
    reference: CERTIFICATE_SIGNING_REQUEST-2
    requestInPem: -----BEGIN CERTIFICATE REQUEST-----
MIICeTCCAWECAQAwNDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0RlbHBoaXgxEzAR
BgNVBAMTCkRlbHBoaXggQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC6AHizntokVU6ymwdM6kJXQrcsvJuEkPFUdPzzoF1szWoN/pQtELGP0FvzVRR4
tTLC5xJeS6zSlvToNYnVh5djxM+JtOrYyE1bMCSg+JKpSY/JNqRcIGgUW8QYNMdN
sKdHu2vASZUQBD9B5Wyi8RJXoGB5NjWg5IpV0XuQMSJnlHLx4GgMwVvfnD4Mn4jP
RlCjf9dOEyOM+rOxFGRo94FWGZ2xD678BIP4xPUmf2J0ZzPbgE6m2JAMOuLb4O/J
Yt9WWiJxohVPgIzYEgptumnNUCdEDYa4kvz+YwOsD4vovkrMNmV0Qx1vK+MbMdLv
T85aqFuXYC0ziCzSGNE8DrTJAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAfM2o
ocF1JXmZyedtyT+Gs5ttdmiCUQV104jnEwEWIFUBzgQZ4u06ZVGMCBrgsc3wTyez
8n1S5kGnQPyhwLi4ZeSJPCJZF1sIP6tDIdROudcFnn9yLbpPXLKEbyQ/kbJY0SjF
4xNaLVme4fjq2xSCM7OdHSLidm6OzK7+xbCyvU9/2QqHWhC5nlU/n25blqT2shB6
Q42xIyw52g6JTcH8zDTHc8iWyxQWOX0UbKCvGuvDJJhhvjSov/u75tPiMBa7qD7R
xoJjXZXpwjA8DJvWKiZT9MQGFGPk/94RAdA9c+hGiU+0y1iShlUjWphP/rB+ZIDB
nKcRlHGEZJua7vZxVA==
-----END CERTIFICATE REQUEST-----

Once the certificate has been signed, import all the certificates in the chain, normally this means import CA and server certificate, however the chain may include one or more intermediate certificates that need to be imported.
Certificates must be in PEM (Base64 format) and it's best to remove all the newlines with an empty space from the required certificates.
Textwrangler on Mac (using "grep" option in replace) or Notepad++ on Windows (using extended options in replace) or on Linux running tr -d '\n' < cert.txt will allow to remove the newlines.

Original certificate:

-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIQT1WLzbq1Y45O/pAA872wjTANBgkqhkiG9w0BAQsFADBU
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghzYW5kcm9h
ZDEhMB8GA1UEAxMYc2FuZHJvYWQtMTAtNDMtMTYtMTI1LUNBMB4XDTE4MDEzMDE2
MjA0MloXDTIzMDEzMDE2MzA0MVowVDEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRgw
FgYKCZImiZPyLGQBGRYIc2FuZHJvYWQxITAfBgNVBAMTGHNhbmRyb2FkLTEwLTQz
LTE2LTEyNS1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6gnldb
T25fBKkbyg+anZ1qRaUEf+ajW2B5+B+YFGFuxSXYpPX1YCeGKsPlIBNky+rzqKfe
fr1lyaITEW1zEN7Yq9CZO92E0yFJHe7CIkUfjo+tAo2JzzQ5HJCFpa6g39qWZ05g
ZCi6E2MCUIVB8c9zF7slr8vGSCItUUY0sQwJV95UVd7cygILWmXYsUlmrSTDyLeP
EH4P5TxOD7dwhGGT9D3zXt/l57fDI+rL2cUJQin9dtWuaNL2i5jCdop4e99HZ7r5
EsZUNKTzll3i/cllRH95eh99wEY6txyynYre7WeQFgIcC58bTvb4XY0jcN6MlhpB
QwLBP0CK2wWnjVUCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFHl7H2JOQFha31uixJvb8y8lIj+mMBAGCSsGAQQBgjcVAQQD
AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCa3M1ykSdz5NcOoA4k6VYG/hKhWhYC5+fe
IwGz3RpTmBhDaaA4y6J5FfXZ02sf8UoMuBBpWxe1RPDndM2o4SvJxllDTTINxkqC
lyNRKkAngm2dlFtUMc+zti6GmZojF3ynV8lDpHnkx4jJkWQ0mEjhH0LR9MAIIExd
TbIEvIX11eGYVhAmUb+gl/vBFAYfOfS/F1wP7Q0hQPQc5IdGXDWl/My3CS+/6fs4
s8ofgsSvIGp+Y/YLf2VDfgUeK5jqVSMQFLV1HI+ExE+ObFyEpAzgG0yIFOMLaz1b
bb1vLyfpfDw71P46r1U3+cUp+7Y6Ou8mZzRLb7cMWvWxVze+t2Uw
-----END CERTIFICATE-----

Without newlines, it's only one big line:

-----BEGIN CERTIFICATE-----MIIDgzCCAmugAwIBAgIQT1WLzbq1Y45O/pAA872wjTANBgkqhkiG9w0BAQsFADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghzYW5kcm9hZDEhMB8GA1UEAxMYc2FuZHJvYWQtMTAtNDMtMTYtMTI1LUNBMB4XDTE4MDEzMDE2MjA0MloXDTIzMDEzMDE2MzA0MVowVDEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRgwFgYKCZImiZPyLGQBGRYIc2FuZHJvYWQxITAfBgNVBAMTGHNhbmRyb2FkLTEwLTQzLTE2LTEyNS1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6gnldbT25fBKkbyg+anZ1qRaUEf+ajW2B5+B+YFGFuxSXYpPX1YCeGKsPlIBNky+rzqKfefr1lyaITEW1zEN7Yq9CZO92E0yFJHe7CIkUfjo+tAo2JzzQ5HJCFpa6g39qWZ05gZCi6E2MCUIVB8c9zF7slr8vGSCItUUY0sQwJV95UVd7cygILWmXYsUlmrSTDyLePEH4P5TxOD7dwhGGT9D3zXt/l57fDI+rL2cUJQin9dtWuaNL2i5jCdop4e99HZ7r5EsZUNKTzll3i/cllRH95eh99wEY6txyynYre7WeQFgIcC58bTvb4XY0jcN6MlhpBQwLBP0CK2wWnjVUCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHl7H2JOQFha31uixJvb8y8lIj+mMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCa3M1ykSdz5NcOoA4k6VYG/hKhWhYC5+feIwGz3RpTmBhDaaA4y6J5FfXZ02sf8UoMuBBpWxe1RPDndM2o4SvJxllDTTINxkqClyNRKkAngm2dlFtUMc+zti6GmZojF3ynV8lDpHnkx4jJkWQ0mEjhH0LR9MAIIExdTbIEvIX11eGYVhAmUb+gl/vBFAYfOfS/F1wP7Q0hQPQc5IdGXDWl/My3CS+/6fs4s8ofgsSvIGp+Y/YLf2VDfgUeK5jqVSMQFLV1HI+ExE+ObFyEpAzgG0yIFOMLaz1bbb1vLyfpfDw71P46r1U3+cUp+7Y6Ou8mZzRLb7cMWvWxVze+t2Uw-----END CERTIFICATE-----

Import the certificates, the order doesn't matter:

hostname.domainname service tls csr> cd ..
hostname.domainname service tls> endEntityCertificate
hostname.domainname service tls endEntityCertificate> replace
hostname.domainname service tls endEntityCertificate replace *> ls
Properties
    type: EndEntityCertificateReplaceChainParameters
    chain:
        type: PemCertificateChain
        chain: (required)
    endEntity:
        type: EndEntityHttps
hostname.domainname service tls endEntityCertificate replace *> edit chain.chain
hostname.domainname service tls endEntityCertificate replace chain.chain *> add
hostname.domainname service tls endEntityCertificate replace chain.chain 0 *> ls
Properties
    type: PemCertificate (*)
    contents: (required)
hostname.domainname service tls endEntityCertificate replace chain.chain 0 *> set contents="-----BEGIN CERTIFICATE-----MIIDgzCCAmugAwIBAgIQT1WLzbq1Y45O/pAA872wjTANBgkqhkiG9w0BAQsFADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghzYW5kcm9hZDEhMB8GA1UEAxMYc2FuZHJvYWQtMTAtNDMtMTYtMTI1LUNBMB4XDTE4MDEzMDE2MjA0MloXDTIzMDEzMDE2MzA0MVowVDEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRgwFgYKCZImiZPyLGQBGRYIc2FuZHJvYWQxITAfBgNVBAMTGHNhbmRyb2FkLTEwLTQzLTE2LTEyNS1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6gnldbT25fBKkbyg+anZ1qRaUEf+ajW2B5+B+YFGFuxSXYpPX1YCeGKsPlIBNky+rzqKfefr1lyaITEW1zEN7Yq9CZO92E0yFJHe7CIkUfjo+tAo2JzzQ5HJCFpa6g39qWZ05gZCi6E2MCUIVB8c9zF7slr8vGSCItUUY0sQwJV95UVd7cygILWmXYsUlmrSTDyLePEH4P5TxOD7dwhGGT9D3zXt/l57fDI+rL2cUJQin9dtWuaNL2i5jCdop4e99HZ7r5EsZUNKTzll3i/cllRH95eh99wEY6txyynYre7WeQFgIcC58bTvb4XY0jcN6MlhpBQwLBP0CK2wWnjVUCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHl7H2JOQFha31uixJvb8y8lIj+mMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCa3M1ykSdz5NcOoA4k6VYG/hKhWhYC5+feIwGz3RpTmBhDaaA4y6J5FfXZ02sf8UoMuBBpWxe1RPDndM2o4SvJxllDTTINxkqClyNRKkAngm2dlFtUMc+zti6GmZojF3ynV8lDpHnkx4jJkWQ0mEjhH0LR9MAIIExdTbIEvIX11eGYVhAmUb+gl/vBFAYfOfS/F1wP7Q0hQPQc5IdGXDWl/My3CS+/6fs4s8ofgsSvIGp+Y/YLf2VDfgUeK5jqVSMQFLV1HI+ExE+ObFyEpAzgG0yIFOMLaz1bbb1vLyfpfDw71P46r1U3+cUp+7Y6Ou8mZzRLb7cMWvWxVze+t2UW-----END CERTIFICATE-----"
hostname.domainname service tls endEntityCertificate replace chain.chain 0 *> back
hostname.domainname service tls endEntityCertificate replace chain.chain *> add
hostname.domainname service tls endEntityCertificate replace chain.chain 1 *> set contents="-----BEGIN CERTIFICATE-----MIIFvzCCBKegAwIBAgITawAAAAkvKKKC35D2PAAAAAAACTANBgkqhkiG9w0BAQsFADBUMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghzYW5kcm9hZDEhMB8GA1UEAxMYc2FuZHJvYWQtMTAtNDMtMTYtMTI1LUNBMB4XDTE4MDUxNjA5NDU1MFoXDTIwMDUxNTA5NDU1MFowejELMAkGA1UEBhMCR0IxDjAMBgNVBAgTBUhhbnRzMRQwEgYDVQQHEwtCYXNpbmdzdG9rZTEQMA4GA1UEChMHRGVscGhpeDEQMA4GA1UECxMHU3VwcG9ydDEhMB8GA1UEAxMYYXNkZTUyNDAuZGMyLmRlbHBoaXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGEWXmu64RSVZ4UcJpRpDZbMx1C3B6prFr3afuFPyoPwTT9rkfLC+gaY8YCZUdHFa1NK9UQlsTnfsiS/5B6mu3v+xUJuyPtohO+MA0ZnBwa44CYFcNRc7SPJ+ak4u2jIebxJXuK74JM/B73dJq+YJASzjG+c7STgtc15PckOIp10mgZhgbcOwYcykQ2qc0G93OqAITVKoCB7OsquyaOksl4KLpLoddDwytHjfW3uGJMllbt7g6M1brL8RYOkt21x983DUMRNQxZa3nBynEZw9HEHZs+AQp1bSER3j3YohTQ+R1wSoRFD5WYaHzu7KE40dqcsqN9NwZJRMNkEHQ9M+wIDAQABo4ICYjCCAl4wHQYDVR0OBBYEFJRd7i1M2AvmqaEwmY045IsFPvJnMB8GA1UdIwQYMBaAFHl7H2JOQFha31uixJvb8y8lIj+mMIHeBgNVHR8EgdYwgdMwgdCggc2ggcqGgcdsZGFwOi8vL0NOPXNhbmRyb2FkLTEwLTQzLTE2LTEyNS1DQSxDTj0xMC00My0xNi0xMjUsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9c2FuZHJvYWQsREM9bG9jYWw/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHNBggrBgEFBQcBAQSBwDCBvTCBugYIKwYBBQUHMAKGga1sZGFwOi8vL0NOPXNhbmRyb2FkLTEwLTQzLTE2LTEyNS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zYW5kcm9hZCxEQz1sb2NhbD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAjBgNVHREEHDAaghhhc2RlNTI0MC5kYzIuZGVscGhpeC5jb20wDQYJKoZIhvcNAQELBQADggEBAB22dPXZMKTg8XvdgetUKJWblUsZ3Eq1U5HQWCxZReEUH0BVpt1cHE3UZ3wBfj8M9yFES/6+7wRCgZgZddojlIjGye1sKjDYYZgDxQ3t5AjIeDWR7ZRtU4xFDtUauscpRIq3utRM14y/62SJcpA7ZJRzSGnX/Ix8ZSUo4JacUPi/h9YgZTKcKSm5z4lwVXx3KgKQEySwSF/kLr7OoPHCqOiri5TXqofy1UaLThlBien52mR0VqeGT82N+PeyvGEmrFHSKRlM7Z6ITef3zAygOWngaWKgSt3g4ezOvvKL1A6t4kFf4fCU50QnTk9VZEm6pfb6HeLGneMrYTBU2SuRHPC=-----END CERTIFICATE-----"
hostname.domainname service tls endEntityCertificate replace chain.chain 1 *> back
hostname.domainname service tls endEntityCertificate replace chain.chain *> commit

Verify the new certificate is in place:

hostname.domainname service tls endEntityCertificate> ls
Objects
NAME                                                                               REFERENCE                                                        ENDENTITY.TYPE  NOTAFTER
CN=Delphix CA, O=Delphix, C=US  END_ENTITY_CERTIFICATE-D2244F2E254E16C8FFDA0D2FF0FE3C5067B1F1F3  EndEntityHttps  2020-05-15T09:45:50.000Z

Operations
replace
showProvidedCertificateChain
requestKeyPairAndCertChainUpload

Login as syadmin via CLI in order to restart the Delphix Managment stack, this will enable the HTTPS service with the new installed certificate:

hostname.domainname> system/restart
hostname.domainname system restart *> commit
Restarting the management service. The current session will be re-established once the "service is available.

Verify via browser that the certificate is now valid.

Additional Information

Documentation reference page: Cli Cookbook Changing HTTP and HTTPS Web Connections