Contents

Managing Certificates

This chapter includes the following sections:

Managing the Server Certificate

You can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the CIMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority.

Procedure
    Step 1   Generate the CSR from the CIMC.
    Step 2   Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.
    Step 3   Upload the new certificate to the CIMC.
    Note   

    The uploaded certificate must be created from a CSR generated by the CIMC. Do not upload a certificate that was not created by this method.


    Generating a Certificate Signing Request

    Before You Begin

    You must log in as a user with admin privileges to configure certificates.

    Procedure
      Step 1   In the Navigation pane, click the Admin tab.
      Step 2   On the Admin tab, click Certificate Management.
      Figure 1. Certificate Management



      Step 3   In the Actions area, click the Generate New Certificate Signing Request link.

      The Generate New Certificate Signing Request dialog box appears.

      Step 4   In the Generate New Certificate Signing Request dialog box, update the following properties:
      Name Description

      Common Name field

      The fully qualified hostname of the CIMC.

      Organization Name field

      The organization requesting the certificate.

      Organization Unit field

      The organizational unit.

      Locality field

      The city or town in which the company requesting the certificate is headquartered.

      State Name field

      The state or province in which the company requesting the certificate is headquartered.

      Country Code drop-down list

      The country in which the company resides.

      Email field

      The e-mail contact at the company.

      Step 5   Click Generate CSR.

      The Opening csr.txt dialog box appears.

      Step 6   Perform any one of the following steps to manage the CSR file, csr.txt:
      1. Click Open With to view csr.txt.
      2. Click Save File and then click OK to save csr.txt to your local machine.

      What to Do Next

      Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

      Creating a Self-Signed Certificate

      As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http:/​/​www.openssl.org.

      Note


      These commands are to be entered on a Linux server with the OpenSSL package, not in the CIMC CLI.


      Before You Begin

      Obtain and install a certificate server software package on a server within your organization.

      Procedure
         Command or ActionPurpose
        Step 1 openssl genrsa -out CA_keyfilename keysize


        Example:
        # openssl genrsa -out ca.key 1024
         
        This command generates an RSA private key that will be used by the CA.
        Note    To allow the CA to access the key without user input, do not use the -des3 option for this command.

        The specified file name contains an RSA key of the specified key size.

         
        Step 2 openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename


        Example:
        # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
         

        This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

        The certificate server is an active CA.

         
        Step 3 echo "nsCertType = server" > openssl.conf


        Example:
        # echo "nsCertType = server" > openssl.conf
         

        This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.

        The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".

         
        Step 4 openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf


        Example:
        # openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04
        -CAkey ca.key -out myserver05.crt -extfile openssl.conf
         

        This command directs the CA to use your CSR file to generate a server certificate.

        Your server certificate is contained in the output file.

         

        This example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL.

        # /usr/bin/openssl genrsa -out ca.key 1024
        Generating RSA private key, 1024 bit long modulus
        .............++++++
        .....++++++
        e is 65537 (0x10001)
        # /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [GB]:US
        State or Province Name (full name) [Berkshire]:California
        Locality Name (eg, city) [Newbury]:San Jose
        Organization Name (eg, company) [My Company Ltd]:Example Incorporated
        Organizational Unit Name (eg, section) []:Unit A
        Common Name (eg, your name or your server's hostname) []:example.com
        Email Address []:admin@example.com
        # echo "nsCertType = server" > openssl.conf
        # /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf
        Signature ok
        subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com
        Getting CA Private Key
        #
        
        What to Do Next

        Upload the new certificate to the CIMC.

        Uploading a Server Certificate

        Before You Begin

        You must log in as a user with admin privileges to upload a certificate.

        The certificate file to be uploaded must reside on a locally accessible file system.


        Note


        You must first generate a CSR using the CIMC Certificate Management menu, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method.


        Procedure
          Step 1   In the Navigation pane, click the Admin tab.
          Step 2   On the Admin tab, click Certificate Management.
          Figure 2. Certificate Management



          Step 3   In the Actions area, click Upload Server Certificate.

          The Upload Certificate dialog box appears.

          Step 4   In the Upload Certificate dialog box, update the following properties:
          Name Description

          File field

          The certificate file you want to upload.

          Browse button

          Opens a dialog box that allows you to navigate to the appropriate certificate file.

          Caution   

          After you select the certificate file using the Browse button, do not edit the certificate file name using the Backspace button on your keyboard. If you do, you will be logged out of CIMC.

          Step 5   Click Upload Certificate.


          Managing Certificates

          Managing Certificates

          This chapter includes the following sections:

          Managing the Server Certificate

          You can generate a certificate signing request (CSR) to obtain a new certificate, and you can upload the new certificate to the CIMC to replace the current server certificate. The server certificate may be signed either by a public Certificate Authority (CA), such as Verisign, or by your own certificate authority.

          Procedure
            Step 1   Generate the CSR from the CIMC.
            Step 2   Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.
            Step 3   Upload the new certificate to the CIMC.
            Note   

            The uploaded certificate must be created from a CSR generated by the CIMC. Do not upload a certificate that was not created by this method.


            Generating a Certificate Signing Request

            Before You Begin

            You must log in as a user with admin privileges to configure certificates.

            Procedure
              Step 1   In the Navigation pane, click the Admin tab.
              Step 2   On the Admin tab, click Certificate Management.
              Figure 1. Certificate Management



              Step 3   In the Actions area, click the Generate New Certificate Signing Request link.

              The Generate New Certificate Signing Request dialog box appears.

              Step 4   In the Generate New Certificate Signing Request dialog box, update the following properties:
              Name Description

              Common Name field

              The fully qualified hostname of the CIMC.

              Organization Name field

              The organization requesting the certificate.

              Organization Unit field

              The organizational unit.

              Locality field

              The city or town in which the company requesting the certificate is headquartered.

              State Name field

              The state or province in which the company requesting the certificate is headquartered.

              Country Code drop-down list

              The country in which the company resides.

              Email field

              The e-mail contact at the company.

              Step 5   Click Generate CSR.

              The Opening csr.txt dialog box appears.

              Step 6   Perform any one of the following steps to manage the CSR file, csr.txt:
              1. Click Open With to view csr.txt.
              2. Click Save File and then click OK to save csr.txt to your local machine.

              What to Do Next

              Submit the CSR file to a certificate authority that will issue and sign your certificate. If your organization generates its own self-signed certificates, you can use the CSR file to generate a self-signed certificate.

              Creating a Self-Signed Certificate

              As an alternative to using a public Certificate Authority (CA) to generate and sign a server certificate, you can operate your own CA and sign your own certificates. This section shows commands for creating a CA and generating a server certificate using the OpenSSL certificate server running on Linux. For detailed information about OpenSSL, see http:/​/​www.openssl.org.

              Note


              These commands are to be entered on a Linux server with the OpenSSL package, not in the CIMC CLI.


              Before You Begin

              Obtain and install a certificate server software package on a server within your organization.

              Procedure
                 Command or ActionPurpose
                Step 1 openssl genrsa -out CA_keyfilename keysize


                Example:
                # openssl genrsa -out ca.key 1024
                 
                This command generates an RSA private key that will be used by the CA.
                Note    To allow the CA to access the key without user input, do not use the -des3 option for this command.

                The specified file name contains an RSA key of the specified key size.

                 
                Step 2 openssl req -new -x509 -days numdays -key CA_keyfilename -out CA_certfilename


                Example:
                # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
                 

                This command generates a new self-signed certificate for the CA using the specified key. The certificate is valid for the specified period. The command prompts the user for additional certificate information.

                The certificate server is an active CA.

                 
                Step 3 echo "nsCertType = server" > openssl.conf


                Example:
                # echo "nsCertType = server" > openssl.conf
                 

                This command adds a line to the OpenSSL configuration file to designate the certificate as a server-only certificate. This designation is a defense against a man-in-the-middle attack, in which an authorized client attempts to impersonate the server.

                The OpenSSL configuration file openssl.conf contains the statement "nsCertType = server".

                 
                Step 4 openssl x509 -req -days numdays -in CSR_filename -CA CA_certfilename -set_serial 04 -CAkey CA_keyfilename -out server_certfilename -extfile openssl.conf


                Example:
                # openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 04
                -CAkey ca.key -out myserver05.crt -extfile openssl.conf
                 

                This command directs the CA to use your CSR file to generate a server certificate.

                Your server certificate is contained in the output file.

                 

                This example shows how to create a CA and to generate a server certificate signed by the new CA. These commands are entered on a Linux server running OpenSSL.

                # /usr/bin/openssl genrsa -out ca.key 1024
                Generating RSA private key, 1024 bit long modulus
                .............++++++
                .....++++++
                e is 65537 (0x10001)
                # /usr/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
                You are about to be asked to enter information that will be incorporated
                into your certificate request.
                What you are about to enter is what is called a Distinguished Name or a DN.
                There are quite a few fields but you can leave some blank
                For some fields there will be a default value,
                If you enter '.', the field will be left blank.
                -----
                Country Name (2 letter code) [GB]:US
                State or Province Name (full name) [Berkshire]:California
                Locality Name (eg, city) [Newbury]:San Jose
                Organization Name (eg, company) [My Company Ltd]:Example Incorporated
                Organizational Unit Name (eg, section) []:Unit A
                Common Name (eg, your name or your server's hostname) []:example.com
                Email Address []:admin@example.com
                # echo "nsCertType = server" > openssl.conf
                # /usr/bin/openssl x509 -req -days 365 -in csr.txt -CA ca.crt -set_serial 01 -CAkey ca.key -out server.crt -extfile openssl.conf
                Signature ok
                subject=/C=US/ST=California/L=San Jose/O=Example Inc./OU=Unit A/CN=example.com/emailAddress=john@example.com
                Getting CA Private Key
                #
                
                What to Do Next

                Upload the new certificate to the CIMC.

                Uploading a Server Certificate

                Before You Begin

                You must log in as a user with admin privileges to upload a certificate.

                The certificate file to be uploaded must reside on a locally accessible file system.


                Note


                You must first generate a CSR using the CIMC Certificate Management menu, and you must use that CSR to obtain the certificate for uploading. Do not upload a certificate that was not obtained by this method.


                Procedure
                  Step 1   In the Navigation pane, click the Admin tab.
                  Step 2   On the Admin tab, click Certificate Management.
                  Figure 2. Certificate Management



                  Step 3   In the Actions area, click Upload Server Certificate.

                  The Upload Certificate dialog box appears.

                  Step 4   In the Upload Certificate dialog box, update the following properties:
                  Name Description

                  File field

                  The certificate file you want to upload.

                  Browse button

                  Opens a dialog box that allows you to navigate to the appropriate certificate file.

                  Caution   

                  After you select the certificate file using the Browse button, do not edit the certificate file name using the Backspace button on your keyboard. If you do, you will be logged out of CIMC.

                  Step 5   Click Upload Certificate.