Create keypair and import signed certificate in Management Center

Products

Management Center

Issue/Introduction

Management Center (MC) uses the self-signed certificate on the management web interface by default. MC version 2.x and above supports creating keyring (private key), signing-request and importing signed certificate. It also support importing private key and signed certificate created offbox.

Note: commands presented on this article is applicable on 2.x and above. For version 1.11.x or below, please see article TECH248505

With self-signed certificate the customer gets the browser error complaining about the untrusted certificate

Cause

All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since Management Center default certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.

Resolution

Creating keyring, signing-request and importing signed certificate. ¹ On this example, we will use a keyring named sslkey.

Create new keyring named "sslkey" on MC

conf t

ssl

create keyring sslkey algorithm rsa length 2048 showable yes

Create certificate signing-request (CSR) for keyring "sslkey"

create signing-request sslkey subject "C=US,ST=CA,O=Symantec,CN=mc.company.com alternative-names 192.168.100.20"

View signing-request for keyring "sslkey"

view signing-request sslkey

Once CSR signed by your internal PKI server, import the signed certificate

conf t

ssl

inline certificate sslkey

(follow instruction on SSH screen)

To view keyring information under (config-ssl) prompt ²

view keyring sslkey

To view private key on MC - Copy to use later in the inline keyring default step

view keypair sslkey

To view certificate - Copy to use later in the inline certificate default step

view certificate sslkey

A private key and signed certificate created off box can also be imported to MC.

Note that example below will overwrite the "default" certificate

conf t

ssl

inline keyring default showable yes

(follow instruction on SSH screen pasting the private key collected in the view keypair sslkey step)

inline certificate default

(follow instruction on SSH screen pasting the public key collected in the view certificate sslkey step)

Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.

To import root and/or intermediate ca under (config-ssl) prompt ³

inline ca-certificate internal_root_ca

(follow instruction on screen)

edit ccl browser-trusted

add internal_root_ca

Notes:

MC presents the keyring named "default" when accessing the web management console on which needs to be overwritten with new information if you wish to create a signed certificate.

Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.⁴

1. ^ https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/management-center/2-4/index/c_config_commands/c_ssl/c_ssl_create.html

2. ^ https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/management-center/2-4/index/c_config_commands/c_ssl/c_ssl_view.html

3. ^ https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/management-center/2-4/index/c_config_commands/c_ssl/c_ssl_inline.html

4. ^ https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/web-and-network-security/management-center/2-4/get-started/device_communication.html