Managing Certificates and Server Security

This chapter includes the following sections:

Managing the Server Certificate

You can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the Cisco IMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority. The generated certificate key length is 2048 bits.


Note

Before performing any of the following tasks in this chapter, ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

Generate the CSR from the Cisco IMC.

Step 2

Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

Step 3

Upload the new certificate to the Cisco IMC.

Note 

The uploaded certificate must be created from a CSR generated by the Cisco IMC. Do not upload a certificate that was not created by this method.

Generating a Certificate Signing Request


Note

Do not use special characters (For example ampersand (&)) in the Common Name or Organization Unit field.

Before you begin

  • You must log in as a user with admin privileges to configure certificates.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

In the Navigation pane, click the Admin tab.

Step 2

On the Admin tab, click Certificate Management.

Step 3

In the Actions area, click the Generate New Certificate Signing Request link.

The Generate New Certificate Signing Request dialog box appears.

Step 4

In the Generate New Certificate Signing Request dialog box, update the following properties:

Name Description

Common Name field

The fully qualified name of the Cisco IMC.

By default the CN of the servers appears in CXXX-YYYYYY format, where XXX is the model number and YYYYYY is the serial number of the server.

When you upgrade to latest version, CN is retained as is.

Subject Alternate Name (SAN)

You can now provide additional input parameter for Subject Alternate Name. This allows various values to be associated using the subject field of the certificate.

The various options of SAN includes:

  • Email

  • DNS name

  • IP address

  • Uniform Resource Identifier (URI)

Note 

This field is optional. You can configure any number of SAN instances of each type, but all together the instances count must not exceed 10.

Organization Name field

The organization requesting the certificate.

Organization Unit field

The organizational unit.

Locality field

The city or town in which the company requesting the certificate is headquartered.

State Name field

The state or province in which the company requesting the certificate is headquartered.

Country Code drop-down list

The country in which the company resides.

Email field

The email contact at the company.

Signature Algorithm

Allows you to select the signature algorithm for generating certificate signing request. This can be one of the following:

  • SHA384

  • SHA1

  • SHA256

  • SHA512

The default signature algorithm selected for generating certificate signing request is SHA384.

Self Signed Certificate check box

Generates a Self Signed Certificate.

Warning 
After successful certificate generation, the Cisco IMC Web GUI restarts. Communication with the management controller may be lost momentarily and you will need to re-login.
Note 

If enabled, CSR is generated, signed and uploaded automatically.

Note 

If Self-signed certificate is enabled, ignore steps 5 and 6.

Step 5

Click Generate CSR.

The Opening csr.txt dialog box appears.

Step 6

Perform any one of the following steps to manage the CSR file, csr.txt:

  1. Click Open With to view csr.txt.

  2. Click Save File and then click OK to save csr.txt to your local machine.

What to do next

  • Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

  • Ensure that the certificate is of type Server.

Creating an Untrusted CA-Signed Certificate

As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http://www.openssl.org.

Note

These commands are to be entered on a Linux server with the OpenSSL package, not in the Cisco IMC.

Before you begin

  • Obtain and install a certificate server software package on a server within your organization.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

  Command or Action Purpose
Step 1

openssl genrsa -out CA_keyfilename keysize

Example:

# openssl genrsa -out ca.key 2048
This command generates an RSA private key that will be used by the CA.
Note 
To allow the CA to access the key without user input, do not use the -des3 option for this command.

The specified file name contains an RSA key of the specified key size.

Step 2

openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename

Example:

# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

The certificate server is an active CA.

Step 3

echo "nsCertType = server" > openssl.conf

Example:

# echo "nsCertType = server" > openssl.conf

This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.

The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".

Step 4

openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf

Example:

# openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04
-CAkey ca.key -out myserver05.crt -extfile openssl.conf

This command directs the CA to use your CSR file to generate a server certificate.

Your server certificate is contained in the output file.

Step 5

openssl x509 -noout -text -purpose -in <cert file>

Example:

openssl x509 -noout -text -purpose -in <cert file>
Verifies if the generated certificate is of type Server.
Note 

If the values of the fields Server SSL and Netscape SSL server are not yes, ensure that openssl.conf is configured to generate certificates of type server.

Step 6

(Optional) If the generated certificate does not have the correct validity dates, ensure the Cisco IMC time is set to the current time, and regenerate the certificate by repeating steps 1 through 5.

(Optional)
Certificate with the correct validity dates is created.

Example

This example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL. 

# /usr/bin/openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.............++++++
.....++++++
e is 65537 (0x10001)
# /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:San Jose
Organization Name (eg, company) [My Company Ltd]:Example Incorporated
Organizational Unit Name (eg, section) []:Unit A
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:admin@example.com
# echo "nsCertType = server" > openssl.conf
# /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf
Signature ok
subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com
Getting CA Private Key
#

What to do next

Upload the new certificate to the Cisco IMC.

Creating a Self-Signed Certificate Using Windows

Before you begin

  • You must log in as a user with admin privileges to configure certificates.

  • Ensure that the Cisco IMC time is set to the current time.

Procedure

Step 1

Open IIS Manager and navigate to the level you want to manage.

Step 2

In the Features area, double-click Server Certificate.

Step 3

In the Action pane, click Create Self-Signed Certificate.

Step 4

On the Create Self-Signed Certificate window, enter name for the certificate in the Specify a friendly name for the certificate field.

Step 5

Click Ok.

Step 6

(Optional) If the generated certificate does not have the correct validity dates, ensure the Cisco IMC time is set to the current time, and regenerate the certificate by repeating steps 1 through 5.

Certificate with the correct validity dates is created.

Uploading a Server Certificate

Before you begin

  • You must log in as a user with admin privileges to upload a certificate.

  • The certificate file to be uploaded must reside on a locally accessible file system.

  • Ensure that the generated certificate is of type server.

  • The following certificate formats are supported:

    • .crt

    • .cer

    • .pem


Note

You must first generate a CSR using the Cisco IMC Certificate Management menu, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method.

Procedure

Step 1

In the Navigation pane, click the Admin tab.

Step 2

On the Admin tab, click Certificate Management.

Step 3

In the Actions area, click Upload Server Certificate.

The Upload Certificate dialog box appears.

Step 4

In the Upload Certificate dialog box, update the following properties:

Name Description

File field

The certificate file you want to upload.

Browse button

Opens a dialog box that allows you to navigate to the appropriate certificate file.

Upload Certificate button

Allows you to upload the certificate.

Step 5

Click Upload Certificate.

Pasting Server Certificate Content

As an alternative to uploading the server certificate from a local file system, you can also upload a new server certificate by pasting the content of the certificate in a text field.

Before you begin

  • You must log in as a user with admin privileges to upload a certificate.

  • The certificate file to be uploaded must reside on a locally accessible file system.

  • Ensure that the generated certificate is of type server.

  • Ensure that the certificate you upload is signed.

Procedure

Step 1

In the Navigation pane, click the Admin tab.

Step 2

On the Admin tab, click Certificate Management.

Step 3

In the Actions area, click Paste Server Certificate.

The Paste Server Certificate dialog box appears.

Step 4

In the Paste Server Certificate dialog box, paste the server certificate content in the Certificate text field and click Save.

This uploads the certificate to the server.

Troubleshooting a New Certificate

Occasionally, a new certificate might not be displayed in the system. In this scenario, you need to complete the following troubleshooting steps and reboot Cisco IMC.

Before you begin

  • You must log in as a user with admin privileges to upload a certificate.

  • You must have uploaded a new certificate.

Procedure

Step 1

Start a new secure shell session on the Cisco IMC server.

Step 2

Run the commands scope certificate and show detail respectively to verify that the certificate displayed is the one you uploaded.

Step 3

Exit the secure shell command line interface.

Step 4

Log on to Cisco IMC web interface.

Step 5

In the Navigation pane, click the Admin tab.

Step 6

On the Admin tab, click Utilities.

Step 7

In the Actions area of the Utilities pane, click Reboot Cisco IMC.

Step 8

Click OK.

Step 9

Clear your web browser's history.

Step 10

Log out of Cisco IMC and log on again to verify that the new certificate is in use.