This document describes how to generate a Certificate Signing Request (CSR) to obtain a new certificate which you can upload to the Cisco Integrated Management Controller (CIMC) in order to replace the current server certificate. The server certificate can be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority. The generated certificate key length is 2048 bits.
Cisco recommends that you have knowledge of these topics:
You must log in as a user with admin privileges to configure certificates.
Ensure that the CIMC time is set to the current time.
The information in this document is based on these software and hardware versions:
CIMC 1.0 or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Generate the CSR from the CIMC.
Submit the CSR file to a CA to sign the certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.
Upload the new certificate to the CIMC.
Note: The uploaded certificate must be created from a CSR generated by the CIMC. Do not upload a certificate that was not created by this method.
Manually generate a CSR from CLI as shown in the image.
If you do not want to obtain a certificate from a public certificate authority, and if your organization does not operate its own certificate authority, you can allow CIMC to internally generate a self-signed certificate from the CSR and upload it immediately to the server. Type y after the final prompt in the example to perform this action.
If your organization operates its own self-signed certificates, copy the command output from "-----BEGIN ..." to "END CERTIFICATE REQUEST-----" and paste to a file named csr.txt. Input the CSR file to your certificate server to generate a self-signed certificate.
If you obtain a certificate from a public certificate authority, copy the command output from "-----BEGIN ..."to"END CERTIFICATE REQUEST-----" and paste to a file named csr.txt. Submit the CSR file to the certificate authority to obtain a signed certificate.
Ensure that the certificate is of type Server.
If you did not use the first option, in which CIMC internally generates and uploads a self-signed certificate, you must upload the new certificate with the upload command in certificate command mode.
Create Self-Signed Certificate
As an alternative to a public CA and sign a server certificate, operate your own CA and sign your own certificates. This section shows commands to create a CA and generate a server certificate with the OpenSSL server certificate. For detailed information about OpenSSL, see http://www.openssl.org.
Step 1. Generate RSA private key as shown in the image.
Step 2. Generate new self-signed certificate as shown in the image.
Step 3. Ensure that the certificate type is server as shown in the image.
Step 4. Directs the CA to use your CSR file to generate a server certificate as shown in the image.
Step 5. Verify if the generated certificate is of type Server as shown in the image.
Step 6. Upload Server Certificate as shown in the image.
Use this section in order to confirm that your configuration works properly.
Navigate to Admin > Certificate Management and verify the Current Certificate as shown in the image.
There is currently no specific troubleshooting information available for this configuration.
CSCup26248 - Unable to upload 3rd party CA SSL certificate to CIMC 2.0.(1a)