I recently came into a situation where I wanted to update the CA certificate on my Tintri T820 with a new one from Active Directory. As I went through the process I realized it was not just a point and click process, so I opted to grab some screen shots and document the process.
To get started, you should (not mandatory but highly recommended) check to see what algorithm your AD is using. Mine was still using SHA1, which has already been deprecated by some of the newer web browsers (*ahem* Google Chrome, I’m looking at you). I figured if I was going to go through this process now, I might as well follow the best practice and upgrade to a newer, more secure algorithm.
First thing first – check to see what algorithm your current domain certificate is. You can find this by opening up the local computer certificate store on the domain CA and navigate to Personal –> Certificates, find you DC’s certificate and open up the properties.
If you certificate is not based on a SHA256, you can change the algorithm by running the following command from the command prompt on a CA within your domain:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
Once you change the algorithm to SHA256, you will need to renew your CA certificate. You can accomplish this by opening up Active Directory Certificates Servers, finding a CA, right clicking –> All Tasks –> Renew CA Certificate.
You should see a prompt requesting whether or not you would like to create a new signing key. I took the opportunity to do so as it had been quite awhile since the current key was signed.
After this, make sure to check that the new certificate is in fact using SHA256. You can check this by opening up the properties of the certificate, the same as above. If it using SHA256, check above to make sure that you ran the correct command to change the signing algorithm.
Next up, we need to grab a copy of the certificate. There are a few ways to do this, but I opted to go to the self-service webpage located at https://servername/certsrv (where servername is your domain CA server’s name). You should be greeted with a page with a few different options, the last of which is ‘Download a CA certificate …’ – that’s the one we want, click on the link.
On the next page, make sure that you have the Current version of the certificate selected – this is the one that we made in the step above. Follow the ‘Download CA certificate’ link and note of where the certificate file is being saved.
In order to install the certificate onto the Tintri, you’ll need to convert the file to a base64 format. You can do this by using the certutil command. Open up a command prompt and run the following command:
Certutil -encode certname.cer certname.txt
Note that certname.cer is the name of the certificate that we downloaded above, and certname.txt is where we want the output to go.
Now we can log into the Tintri OS, go to Settings –> More –> Certificates –> click on Upload next to CA Certificates, and paste the contents of certname.txt into the window and hit save. Once that is done you should see your new certificate listed as the CA Certificate.