-
Cisco UCS C-Series Servers Integrated Management Controller GUI Configuration Guide, Release 1.4
-
Preface
-
Overview
-
Installing the Server OS
-
Managing the Server
-
Viewing Server Properties
-
Viewing Server Sensors
-
Managing Remote Presence
-
Managing User Accounts
-
Configuring Network-Related Settings
-
Managing Network Adapters
-
Configuring Communication Services
-
Managing Certificates
-
Configuring Platform Event Filters
-
CIMC Firmware Management
-
Viewing Logs
-
Server Utilities
-
BIOS Parameters by Server Model
-
Index
-
Feedback
Contents
Managing Certificates
This chapter includes the following sections:
- Managing the Server Certificate
- Generating a Certificate Signing Request
- Creating a Self-Signed Certificate
- Uploading a Server Certificate
Managing the Server Certificate
ProcedureYou can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the CIMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority.
Generating a Certificate Signing Request
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, click Certificate Management. Step 3 In the Actions area, click the Generate New Certificate Signing Request link. The Generate New Certificate Signing Request dialog box appears.
Step 4 In the Generate New Certificate Signing Request dialog box, update the following properties:
Name Description Common Name field
The fully qualified hostname of the CIMC.
Organization Name field
The organization requesting the certificate.
Organization Unit field
The organizational unit.
The city or town in which the company requesting the certificate is headquartered.
State Name field
The state or province in which the company requesting the certificate is headquartered.
Country Code drop-down list
The country in which the company resides.
Email field
The email contact at the company.
Step 5 Click Generate CSR. The Opening csr.txt dialog box appears.
Step 6 Perform any one of the following steps to manage the CSR file, csr.txt:
What to Do Next
Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.
Creating a Self-Signed Certificate
As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http://www.openssl.org.
Note
These commands are to be entered on a Linux server with the OpenSSL package, not in the CIMC CLI.
Before You BeginProcedureObtain and install a certificate server software package on a server within your organization.
Command or Action Purpose
Step 1 openssl genrsa -out CA_keyfilename keysize
Example:# openssl genrsa -out ca.key 1024
Note To allow the CA to access the key without user input, do not use the -des3 option for this command. The specified file name contains an RSA key of the specified key size.
Step 2 openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename
Example:# openssl req -new -x509 -days 365 -key ca.key -out ca.crtThis command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.
The certificate server is an active CA.
Step 3 echo "nsCertType = server" > openssl.conf
Example:# echo "nsCertType = server" > openssl.confThis command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.
The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".
Step 4 openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf
Example:# openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04 -CAkey ca.key -out myserver05.crt -extfile openssl.confThis command directs the CA to use your CSR file to generate a server certificate.
Your server certificate is contained in the output file.
What to Do NextThis example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL.
# /usr/bin/openssl genrsa -out ca.key 1024 Generating RSA private key, 1024 bit long modulus .............++++++ .....++++++ e is 65537 (0x10001) # /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:San Jose Organization Name (eg, company) [My Company Ltd]:Example Incorporated Organizational Unit Name (eg, section) []:Unit A Common Name (eg, your name or your server's hostname) []:example.com Email Address []:admin@example.com # echo "nsCertType = server" > openssl.conf # /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf Signature ok subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com Getting CA Private Key #
Upload the new certificate to the CIMC.
Uploading a Server Certificate
Before You BeginProcedureYou must log in as a user with admin privileges to upload a certificate.
The certificate file to be uploaded must reside on a locally accessible file system.
Note
You must first generate a CSR using the CIMC Certificate Management menu, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method.
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, click Certificate Management. Step 3 In the Actions area, click Upload Server Certificate. The Upload Certificate dialog box appears.
Step 4 In the Upload Certificate dialog box, update the following properties: Step 5 Click Upload Certificate.
