Cloud Volumes Backup: Support tool - Certificate

The certificate sub-command enables you to verify the certificates and keys provided for use with the Cloud Volumes Backup service. Provisioned certificates are X.509 certificates that are used for authentication and transport security for the service and have an associated time to live (TTL). Certificates are provisioned against a root CA (ca.crt) operated by Hewlett Packard Enterprise Ltd and typically have a TTL of 90 days (3 months). The secure client automatically rotates these certificates on a monthly cadence, giving a 2 month grace period for rotation before new certificates will need to be provisioned by the service.

The available sub-commands in the certificate module are:

  • check-ca
  • check-expiry
  • check-key
  • check-time
  • info
  • verify

check-ca - Verify certificate validates back to Certificate Authority

The check-ca sub-command enables you to verify a certificate chain back to a certificate authority. It is useful for verifying that the certificate possessed is valid to the specified CA certificate. If issues are encountered here, it is possible that the CA certificate has expired or that the client certificate is not valid for the current region.

Example usage:

To verify client.crt is valid using CA ca.crt, run the following command:

bash$ ./cvbu-support-tool certificate check-ca ca.crt client.crt

Certificate verified to CA successfully

check-expiry - Check certificate expiry information

The check-expiry sub-command enables you to verify if a certificate has passed its end validity date. If this is the case, the command will log out letting the user know that their certificate has expired. If the certificate is still valid, the tool will let a user know.

Example usage:

To verify if a certificate is past its specified expiry date, run the following command:

bash$ ./cvbu-support-tool certificate check-expiry client.crt

Certificate has expired

check-key - Check key matches certificate

The check-key sub-command enables you to verify that the specified key and certificate match and that their public exponent and modulus match. If these numbers do not match, then the key and certificate are for different stores.

Example usage:

To verify that the key client.key and certificate client.crt match, run the following command:

bash$ ./cvbu-support-tool certificate check-key client.crt client.key

Key and certificate match!

check-time - Check time sync of system vs NTP

The check-time sub-command enables you to verify the time-sync between the local server and an NTP server on the public Internet or within your infrastructure. Time-sync is important when working with PKI as certificate expiry is predicated on synchronized time between servers. A time-skew of more than a minute can cause issues when authenticating with many public services. The optional parameter --ntp-server can be specified to use a custom NTP server. The default target is: pool.ntp.org.

NOTE: The check-time command should be run on the machine on which you will be running the secure-client process.

Example usage:

To check time-sync on the local node against us.pool.ntp.org, run the following command:

bash$ ./cvbu-support-tool certificate check-time --ntp-server us.pool.ntp.org

Time: 2020-08-11 08:55:47.514123+00:00
Time offset: 0 seconds

info - Print certificate information

The info sub-command enables you to print certificate information out to the terminal. It displays the following information:

  • Store name of target backup store
  • Store id of target backup store
  • Forward addresses for CMD/DATA traffic
  • Expiry date of certificate
  • If certificate is past expiry date (expired)

This information can be useful in determining if the certificate is for the correct target store and can be useful to diagnose routing issues within the service.

Example usage:

To print out information for client certificate client.crt, run the following command:

bash$ ./cvbu-support-tool certificate info client.crt

------------  ------------------------------------
Store name    backup-target-6
Store id      7a8cd0f1-6a75-4af0-abd9-8a2714f3a955
Cmd forward   10.12.10.111:32139
Data forward  10.12.10.111:30068
Expiry        2020-04-30 14:06:44
Expired       True
------------  ------------------------------------

verify - Verify x509 certificates

The verify sub-command enables you to run all component tests from the certificate module on the specified keys/certs. It takes the following parameters: CA certificate path, client certificate path and client key path. It also takes as an optional parameter the --ntp-server argument in the same manner as the check-time sub-command. The default is: pool.ntp.org

Example usage:

To verify the time-sync, certificate expiry, key + certificate match and CA chain, run the following command:

bash$ ./cvbu-support-tool certificate verify ca.crt client.crt client.key

Time: 2020-08-11 09:44:37.427233+00:00
Time offset: 0 seconds
Certificate is within validity
Key and certificate match!
Certificate verified to CA successfully
------------  ------------------------------------
Store name    test-store
Store id      980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward   10.10.13.111:30828
Data forward  10.10.13.111:31536
Expiry        2020-09-24 09:11:15
Expired       False
------------  ------------------------------------