makeitcloudy/Update-LenovoDellEmc-px2-300d-SslCertWebInterface.ps1

## Update-LenovoDellEmc-px2-300d-SslCertWebInterface.ps1
# px2-300d firmware version: 4.1.414.34909
# 2022.08.30

#Background:
#0. the whole process can be done in Windows, provided you have the openSSL library installed on your machine
#in my case it is: OpenSSL 1.1.1o  3 May 2022

#In case due to some reason

#1. read this thread
Start-Process 'https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl'
#Crucial section starts from the paragraph:
#'As of 2022 with OpenSSL ≥ 1.1.1, the following command serves all your needs, including Subject Alternate Name (SAN):'

#2. this is the section of the code which helps calulating amount of days which left to the day 0 when the cert is going to expire
# in my case due to the overall convinience that the self signed certs (which are being used for the web services exposed locally)
# expire at the same point of time I tried to synchronize the timing with another cert which was already configured within the
# environment - 18th January 2025 - it's not a must you can skip this step, in case it does not add any added value for you
$now = get-date
New-TimeSpan -Start $now -end $(get-date('01.18.2025'))
(Get-Date).AddDays(872)

#3. Execute following command
openssl req -x509 -newkey rsa:2048 -sha256 -days 872 -nodes -keyout px2-300d.key -out px2-300d.crt -subj "/CN=nas.local" -addext "subjectAltName=DNS:nas.local,DNS:https://nas.local,IP:[IP_AddressOfYour-px2-300d-device]"
cat example.crt example.key > example.pem

Get-Content .\px2-300d.crt | clip
# copy the content of the px2-300d.crt (from the clipboard) to the px2-300d.pem file
Get-Content .\px2-300d.key | clip
# add the content of the px2-300d.key (from the clipboard) to the px2-300d.pem file

# now you are equipped with the pem px2-300d.pem file which can be uploaded into the Lenovo Dell EMC px2-300d device via the web interface
Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/security.html?cat=all'
# Local Network encryption (SSL): Not Required
# Remote Network encryption (SSL): Always
# Certificate settings:
# * Use the default certificate (we are not using this, due to the fact that we are willing to use our own self signed cert with Subject alt name etc)
# * Use an imported certificate [Browse, and upload the px3-300d.pem]

# then you should not receive any error message, and the engine should just digest the certificate properly

#4. CHECK the certificate on the device itself
# Enable diagnostic mode:
Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/diagnostics.html'
# configure values below,
# SSH Port: [preferedSshPortNumber]
# Root password: [prefered password used to access via ssh]
# Confirm Root Password: [prefered password to access via ssh]

# Once the Apply button has been hit, you are ready to login from your endpoint towards the px2-300d over SSH
ssh root@[IP_AddressOfYour-px2-300d-device] -p [preferedSshPortNumber]
# now the tricky piece, even though you configured the prefered password used to access via ssh, once you are logging in
# you have to add the string 'soho' as a prefix of the passwrord, otheriwse it will keep rejecting the pass

# imagine your password defined in the abovementioned gui was: lenovoMagic
# then during the ssh attempt with you use the password      : soholenovoMagic

# do not ask me why is that, it is how it is
# at this point you should be able to run on your px2-300d following command

ls -lah /etc/ssl/certificates/
# which will show you the crt files
# in my case I do have selfcert.crt and usercert.crt_1

openssl x509 -text -noout -in /etc/ssl/certificates/usercert.crt_1
openssl x509 -text -noout -in /etc/ssl/certificates/selfcert.crt

# I'm not sure at the moment whether the selfcert.crt was generated by using the option (use the default cert) as per the paragraph 3.
# But I'm convinced that the usercert.crt_1 is the one which was uploaded with the Browse button...

#  this can be confirmed when you have a look into the section of
# X509v3 Subject Alternative Name:
#  from the output of the abovementioned command

# at this stage if you are on the windows device, it's enough that you add the .cer certificate into the
# Trusted Root Certificates within the Local Computer store.

# I'm sure there are better and alternative ways (as I remember that with previous attempt has been doing this in different way)
# but at least the overall goal was achieved.

# That's it
	# px2-300d firmware version: 4.1.414.34909
	# 2022.08.30

	#Background:
	#0. the whole process can be done in Windows, provided you have the openSSL library installed on your machine
	#in my case it is: OpenSSL 1.1.1o 3 May 2022

	#In case due to some reason

	#1. read this thread
	Start-Process 'https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl'
	#Crucial section starts from the paragraph:
	#'As of 2022 with OpenSSL ≥ 1.1.1, the following command serves all your needs, including Subject Alternate Name (SAN):'

	#2. this is the section of the code which helps calulating amount of days which left to the day 0 when the cert is going to expire
	# in my case due to the overall convinience that the self signed certs (which are being used for the web services exposed locally)
	# expire at the same point of time I tried to synchronize the timing with another cert which was already configured within the
	# environment - 18th January 2025 - it's not a must you can skip this step, in case it does not add any added value for you
	$now = get-date
	New-TimeSpan -Start $now -end $(get-date('01.18.2025'))
	(Get-Date).AddDays(872)

	#3. Execute following command
	openssl req -x509 -newkey rsa:2048 -sha256 -days 872 -nodes -keyout px2-300d.key -out px2-300d.crt -subj "/CN=nas.local" -addext "subjectAltName=DNS:nas.local,DNS:https://nas.local,IP:[IP_AddressOfYour-px2-300d-device]"
	cat example.crt example.key > example.pem

	Get-Content .\px2-300d.crt \| clip
	# copy the content of the px2-300d.crt (from the clipboard) to the px2-300d.pem file
	Get-Content .\px2-300d.key \| clip
	# add the content of the px2-300d.key (from the clipboard) to the px2-300d.pem file

	# now you are equipped with the pem px2-300d.pem file which can be uploaded into the Lenovo Dell EMC px2-300d device via the web interface
	Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/security.html?cat=all'
	# Local Network encryption (SSL): Not Required
	# Remote Network encryption (SSL): Always
	# Certificate settings:
	# * Use the default certificate (we are not using this, due to the fact that we are willing to use our own self signed cert with Subject alt name etc)
	# * Use an imported certificate [Browse, and upload the px3-300d.pem]

	# then you should not receive any error message, and the engine should just digest the certificate properly

	#4. CHECK the certificate on the device itself
	# Enable diagnostic mode:
	Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/diagnostics.html'
	# configure values below,
	# SSH Port: [preferedSshPortNumber]
	# Root password: [prefered password used to access via ssh]
	# Confirm Root Password: [prefered password to access via ssh]

	# Once the Apply button has been hit, you are ready to login from your endpoint towards the px2-300d over SSH
	ssh root@[IP_AddressOfYour-px2-300d-device] -p [preferedSshPortNumber]
	# now the tricky piece, even though you configured the prefered password used to access via ssh, once you are logging in
	# you have to add the string 'soho' as a prefix of the passwrord, otheriwse it will keep rejecting the pass

	# imagine your password defined in the abovementioned gui was: lenovoMagic
	# then during the ssh attempt with you use the password : soholenovoMagic

	# do not ask me why is that, it is how it is
	# at this point you should be able to run on your px2-300d following command

	ls -lah /etc/ssl/certificates/
	# which will show you the crt files
	# in my case I do have selfcert.crt and usercert.crt_1

	openssl x509 -text -noout -in /etc/ssl/certificates/usercert.crt_1
	openssl x509 -text -noout -in /etc/ssl/certificates/selfcert.crt

	# I'm not sure at the moment whether the selfcert.crt was generated by using the option (use the default cert) as per the paragraph 3.
	# But I'm convinced that the usercert.crt_1 is the one which was uploaded with the Browse button...

	# this can be confirmed when you have a look into the section of
	# X509v3 Subject Alternative Name:
	# from the output of the abovementioned command

	# at this stage if you are on the windows device, it's enough that you add the .cer certificate into the
	# Trusted Root Certificates within the Local Computer store.

	# I'm sure there are better and alternative ways (as I remember that with previous attempt has been doing this in different way)
	# but at least the overall goal was achieved.

	# That's it