> Software > Manage > Infrastructure > Unified Data Vault > Create an S3 Endpoint

Enabling HTTPS for the S3 Endpoint

Enabling HTTPS for the S3 Endpoint ensures encrypted communication and protects API access from unauthorized clients. This applies to both production and non-production environments.

Certificate Configuration Options

Commvault supports two modes of HTTPS setup:

Use Case:
Secure communication using certificates issued by a trusted Certificate Authority (CA), accepted by default in all major operating systems and browsers.

Requirements: - CA-issued certificate in .crt or .pem format - Private key in .key or .pem format - Optional: Intermediate CA bundle

Procedure:

  1. Convert certificate and key to .pfx format:

    openssl pkcs12 -export -inkey your.key -in your.crt -certfile CA-bundle.crt -out certificate.pfx

  2. Add the Required Registry Keys

    Add the following registry keys to configure HTTPS:

    • CVContainer/DotNet/httpsHostName: Host name of the endpoint.

    • CVContainer/DotNet/certPath: Path to the .pfx certificate file.

    • CVContainer/DotNet/certPassword: Certificate password.

      The certificate must be issued for the host name set in httpsHostName.

  3. Update the Commvault configuration file:

    File:
    /etc/CommVaultRegistry/Galaxy/Instance001/CVContainer/DotNet/.properties

    Add or update the following lines:

    httpsHostName   <FQDN>
certPath  <certificate-path>/certificate.pfx

  4. Restart the Commvault Platform Service:

    commvault -instance Instance001 restart -service CVPlatformService

2. Self-Signed Certificate (For Development or Test Only)

Use Case:
Suitable for internal or isolated environments where CA issuance is not required.

Requirements: - OpenSSL installed - Linux system with Commvault Platform Service - A valid fully qualified domain name (FQDN)

Procedure:

  1. Create a file v3.ext with the following content:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = <country>
ST = <state>
L = <location>
O = Commvault
OU = <department>
CN = <machine-name>

[v3_req]
# make it a CA so RHEL/CentOS will happily trust it
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage         = critical, keyCertSign, cRLSign, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1 = <machine-name>

  2. Generate key, certificate signing request (CSR), certificate, and PFX:

    openssl genrsa -out key.pem 2048
openssl req -new -sha256 -key key.pem -out csr.csr -config v3.ext
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem -extensions v3_req -config v3.ext
openssl pkcs12 -export -inkey key.pem -in certificate.pem -out certificate.pfx

  3. Add the Required Registry Keys

    Add the following registry keys to configure HTTPS:

    • CVContainer/DotNet/httpsHostName: Host name of the endpoint.

    • CVContainer/DotNet/certPath: Path to the .pfx certificate file.

    • CVContainer/DotNet/certPassword: Certificate password.

      The certificate must be issued for the host name set in httpsHostName.

  4. Update the Commvault configuration file:

    File:
    /etc/CommVaultRegistry/Galaxy/Instance001/CVContainer/DotNet/.properties

    Add or update the following lines:

    httpsHostName  <FQDN>
certPath  <certificate-path>/certificate.pfx

  5. Restart the Commvault Platform Service:

    commvault -instance Instance001 restart -service CVPlatformService

Client-Side Certificate Trust Configuration

To ensure client systems trust the self-signed certificate, import the custom CA certificate into the trust store:

RHEL / CentOS / Fedora:

Copy certificate to anchors folder: 

sudo cp <certificate-file.crt-or-.pem>  /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

Validate: 

sudo trust list | grep -i "YourCertName"

Debian / Ubuntu:

sudo cp <certificate-file.crt-or-.pem> /usr/local/share/ca-certificates/
sudo update-ca-certificates

Validate: 

openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text -noout | grep -A3 "YourCertName"

Windows:

Navigate to Certificate Manager: 1. Double-click <certificate-file.crt/.cer/.pfx>Install Certificate 2. Select Local Machine or Current User 3. Store Location → Trusted Root Certification Authorities 4. Finish + Accept Prompt

General Validation: 

curl -v <Endpoint_name>

AWS CLI Trust Store Configuration

For AWS CLI commands to work with custom certificates on Linux:

Option 1: Permanent Configuration (Recommended)

Add to ~/.aws/config:

[default]
ca_bundle = /etc/pki/tls/certs/ca-bundle.crt

Option 2: Session-Only Environment Variable

export AWS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt

Note

Use only in development and test environments.

HTTPS Validation

To validate that the HTTPS endpoint is reachable and functioning on port 5005:

For Self-Signed Certificates:

curl -v  https://<machine-name>:5006/s3

For CA-Trusted Certificates:

curl --cacert /path/to/certificate.pem https://<machine-name>:5005/s3

A valid HTTP response code confirms successful HTTPS access.

×

Loading...