- Preface
- Overview
- Managing the Server
- Viewing Server Properties
- Viewing Server Sensors
- Managing Remote Presence
- Managing User Accounts
- Configuring Network-Related Settings
- Managing Network Adapters
- Configuring Communication Services
- Managing Certificates
- Configuring Platform Event Filters
- CIMC Firmware Management
- Viewing Logs
- Server Utilities
- Index
Managing Certificates
This chapter includes the following sections:
- Managing the Server Certificate
- Generating a Certificate Signing Request
- Creating a Self-Signed Certificate
- Uploading a Server Certificate
Managing the Server Certificate
You can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the CIMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | Generate the CSR from the CIMC. | |||
Step 2 | Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate. | |||
Step 3 | Upload the new certificate to the CIMC. |
|
Generating a Certificate Signing Request
You must log in as a user with admin privileges to configure certificates.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope certificate | Enters the certificate command mode. |
Step 2 | Server /certificate # generate-csr | Launches a dialog for the generation of a certificate signing request (CSR). |
You will be prompted to enter the following information for the certificate signing request:
Common Name (CN) |
The fully qualified hostname of the CIMC. |
Organization Name (O) |
The organization requesting the certificate. |
Organization Unit (OU) |
The organizational unit. |
Locality (L) |
The city or town in which the company requesting the certificate is headquartered. |
StateName (S) |
The state or province in which the company requesting the certificate is headquartered. |
Country Code (CC) |
The two-letter ISO country code for the country in which the company is headquartered. |
The administrative email contact at the company. |
After you have entered the requested information, the system will generate and display a certificate signing request in the console output. A CSR file will not be created, but you can copy the CSR information from the console output and paste the information into a text file.
This example generates a certificate signing request:
Server# scope certificate Server /certificate # generate-csr Common Name (CN): test.example.com Organization Name (O): Example, Inc. Organization Unit (OU): Test Department Locality (L): San Jose StateName (S): CA Country Code (CC): US Email: user@example.com Continue to generate CSR?[y|N]y -----BEGIN CERTIFICATE REQUEST----- MIIB/zCCAWgCAQAwgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE BxMMU2FuIEpvc2UsIENBMRUwEwYDVQQKEwxFeGFtcGxlIEluYy4xEzARBgNVBAsT ClRlc3QgR3JvdXAxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20xHzAdBgkqhkiG 9w0BCQEWEHVzZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMZw4nTepNIDhVzb0j7Z2Je4xAG56zmSHRMQeOGHemdh66u2/XAoLx7YCcYU ZgAMivyCsKgb/6CjQtsofvzxmC/eAehuK3/SINv7wd6Vv2pBt6ZpXgD4VBNKONDl GMbkPayVlQjbG4MD2dx2+H8EH3LMtdZrgKvPxPTE+bF5wZVNAgMBAAGgJTAjBgkq hkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcNAQEFBQAD gYEAG61CaJoJaVMhzCl903O6Mg51zq1zXcz75+VFj2I6rH9asckCld3mkOVx5gJU Ptt5CVQpNgNLdvbDPSsXretysOhqHmp9+CLv8FDuy1CDYfuaLtvlWvfhevskV0j6 mK3Ku+YiORnv6DhxrOoqau8r/hyI/L43l7IPN1HhOi3oha4= -----END CERTIFICATE REQUEST----- Copy everything from "-----BEGIN ..." to "END CERTIFICATE REQUEST-----", paste to a file, send to your chosen CA for signing, and finally upload the signed certificate via upload command. ---OR--- Continue to self sign CSR and overwrite the current certificate? All HTTPS and SSH sessions will be disconnected. [y|N]N
Perform one of the following tasks:
-
If you do not want to obtain a certificate from a public certificate authority, and if your organization does not operate its own certificate authority, you can allow CIMC to internally generate a self-signed certificate from the CSR and upload it immediately to the server. Type y after the final prompt in the example to perform this action.
-
If your organization operates its own certificate server for generating self-signed certificates, copy the command output from "-----BEGIN ..." to "END CERTIFICATE REQUEST-----" and paste to a file named csr.txt. Input the CSR file to your certificate server to generate a self-signed certificate.
-
If you will obtain a certificate from a public certificate authority, copy the command output from "-----BEGIN ..." to "END CERTIFICATE REQUEST-----" and paste to a file named csr.txt. Submit the CSR file to the certificate authority to obtain a signed certificate.
If you did not use the first option, in which CIMC internally generates and uploads a self-signed certificate, you must upload the new certificate using the upload command in certificate command mode.
Creating a Self-Signed Certificate
![]() Note |
These commands are to be entered on a Linux server with the OpenSSL package, not in the CIMC CLI. |
Obtain and install a certificate server software package on a server within your organization.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | openssl genrsa -out CA_keyfilename keysize Example: # openssl genrsa -out ca.key 1024 |
The specified file name contains an RSA key of the specified key size. |
||
Step 2 | openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename Example: # openssl req -new -x509 -days 365 -key ca.key -out ca.crt |
This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information. The certificate server is an active CA. |
||
Step 3 | echo "nsCertType = server" > openssl.conf Example: # echo "nsCertType = server" > openssl.conf |
This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server. The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server". |
||
Step 4 | openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf Example: # openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04 -CAkey ca.key -out myserver05.crt -extfile openssl.conf |
This command directs the CA to use your CSR file to generate a server certificate. Your server certificate is contained in the output file. |
This example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL.
# /usr/bin/openssl genrsa -out ca.key 1024 Generating RSA private key, 1024 bit long modulus .............++++++ .....++++++ e is 65537 (0x10001) # /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:San Jose Organization Name (eg, company) [My Company Ltd]:Example Incorporated Organizational Unit Name (eg, section) []:Unit A Common Name (eg, your name or your server's hostname) []:example.com Email Address []:admin@example.com # echo "nsCertType = server" > openssl.conf # /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf Signature ok subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com Getting CA Private Key #
Upload the new certificate to the CIMC.
Uploading a Server Certificate
You must log in as a user with admin privileges to upload a certificate.
The certificate to be uploaded must be available as readable text. During the upload procedure, you will copy the certificate text and paste it into the CLI.
![]() Note |
You must first generate a CSR using the CIMC certificate management CSR generation procedure, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method. |
![]() Note |
All current HTTPS and SSH sessions are disconnected when the new server certificate is uploaded. |
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope certificate | Enters the certificate command mode. |
Step 2 | Server /certificate # upload | Launches a dialog for entering and uploading the new server certificate. |
Copy the certificate text, paste it into the console when prompted, and type CTRL+D to upload the certificate.
This example uploads a new certificate to the server:
Server# scope certificate Server /certificate # upload Please paste your certificate here, when finished, press CTRL+D. -----BEGIN CERTIFICATE----- MIIB/zCCAWgCAQAwgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE BxMMU2FuIEpvc2UsIENBMRUwEwYDVQQKEwxFeGFtcGxlIEluYy4xEzARBgNVBAsT ClRlc3QgR3JvdXAxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20xHzAdBgkqhkiG 9w0BCQEWEHVzZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMZw4nTepNIDhVzb0j7Z2Je4xAG56zmSHRMQeOGHemdh66u2/XAoLx7YCcYU ZgAMivyCsKgb/6CjQtsofvzxmC/eAehuK3/SINv7wd6Vv2pBt6ZpXgD4VBNKONDl GMbkPayVlQjbG4MD2dx2+H8EH3LMtdZrgKvPxPTE+bF5wZVNAgMBAAGgJTAjBgkq hkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcNAQEFBQAD gYEAG61CaJoJaVMhzCl903O6Mg51zq1zXcz75+VFj2I6rH9asckCld3mkOVx5gJU Ptt5CVQpNgNLdvbDPSsXretysOhqHmp9+CLv8FDuy1CDYfuaLtvlWvfhevskV0j6 mK3Ku+YiORnv6DhxrOoqau8r/hyI/L43l7IPN1HhOi3oha4= -----END CERTIFICATE----- <CTRL+D>