Cloud Volumes Backup: Support tool - Certificate
The certificate sub-command enables you to verify the certificates and keys provided for use with the Cloud Volumes Backup service. Provisioned certificates are X.509 certificates that are used for authentication and transport security for the service and have an associated time to live (TTL). Certificates are provisioned against a root CA (ca.crt) operated by Hewlett Packard Enterprise Ltd and typically have a TTL of 90 days (3 months). The secure client automatically rotates these certificates on a monthly cadence, giving a 2 month grace period for rotation before new certificates will need to be provisioned by the service.
The available sub-commands in the certificate module are:
check-cacheck-expirycheck-keycheck-timeinfoverify
check-ca - Verify certificate validates back to Certificate Authority
The check-ca sub-command enables you to verify a certificate chain back to a certificate authority. It is useful for verifying that the certificate possessed is valid to the specified CA certificate. If issues are encountered here, it is possible that the CA certificate has expired or that the client certificate is not valid for the current region.
Example usage:
To verify client.crt is valid using CA ca.crt, run the following command:
bash$ ./cvbu-support-tool certificate check-ca ca.crt client.crt
Certificate verified to CA successfully
check-expiry - Check certificate expiry information
The check-expiry sub-command enables you to verify if a certificate has passed its end validity date. If this is the case, the command will log out letting the user know that their certificate has expired. If the certificate is still valid, the tool will let a user know.
Example usage:
To verify if a certificate is past its specified expiry date, run the following command:
bash$ ./cvbu-support-tool certificate check-expiry client.crt
Certificate has expired
check-key - Check key matches certificate
The check-key sub-command enables you to verify that the specified key and certificate match and that their public exponent and modulus match. If these numbers do not match, then the key and certificate are for different stores.
Example usage:
To verify that the key client.key and certificate client.crt match, run the following command:
bash$ ./cvbu-support-tool certificate check-key client.crt client.key
Key and certificate match!
check-time - Check time sync of system vs NTP
The check-time sub-command enables you to verify the time-sync between the local server and an NTP server on the public Internet or within your infrastructure. Time-sync is important when working with PKI as certificate expiry is predicated on synchronized time between servers. A time-skew of more than a minute can cause issues when authenticating with many public services. The optional parameter --ntp-server can be specified to use a custom NTP server. The default target is: pool.ntp.org.
NOTE: The check-time command should be run on the machine on which you will be running the secure-client process.
Example usage:
To check time-sync on the local node against us.pool.ntp.org, run the following command:
bash$ ./cvbu-support-tool certificate check-time --ntp-server us.pool.ntp.org
Time: 2020-08-11 08:55:47.514123+00:00
Time offset: 0 seconds
info - Print certificate information
The info sub-command enables you to print certificate information out to the terminal. It displays the following information:
- Store name of target backup store
- Store id of target backup store
- Forward addresses for CMD/DATA traffic
- Expiry date of certificate
- If certificate is past expiry date (expired)
This information can be useful in determining if the certificate is for the correct target store and can be useful to diagnose routing issues within the service.
Example usage:
To print out information for client certificate client.crt, run the following command:
bash$ ./cvbu-support-tool certificate info client.crt
------------ ------------------------------------
Store name backup-target-6
Store id 7a8cd0f1-6a75-4af0-abd9-8a2714f3a955
Cmd forward 10.12.10.111:32139
Data forward 10.12.10.111:30068
Expiry 2020-04-30 14:06:44
Expired True
Common name cert-1.backup-target-6.7a8cd0f1-6a75-4af0-abd9-8a2714f3a955
------------ ------------------------------------
verify - Verify x509 certificates
The verify sub-command enables you to run all component tests from the certificate module on the specified keys/certs. It takes the following parameters: CA certificate path, client certificate path and client key path. It also takes as an optional parameter the --ntp-server argument in the same manner as the check-time sub-command. The default is: pool.ntp.org
Example usage:
To verify the time-sync, certificate expiry, key + certificate match and CA chain, run the following command:
bash$ ./cvbu-support-tool certificate verify ca.crt client.crt client.key
Time: 2020-08-11 09:44:37.427233+00:00
Time offset: 0 seconds
Certificate is within validity
Key and certificate match!
Certificate verified to CA successfully
------------ ------------------------------------
Store name test-store
Store id 980eabd0-ef8e-4b13-989a-225f8c456c9d
Cmd forward 10.10.13.111:30828
Data forward 10.10.13.111:31536
Expiry 2020-09-24 09:11:15
Expired False
Common name cert-1.backup-target-6.7a8cd0f1-6a75-4af0-abd9-8a2714f3a955
------------ ------------------------------------