Create keypair and import signed certificate in Management Center
Article ID: 184735
Updated On:
Products
Issue/Introduction
Management Center (MC) uses a self-signed certificate on the management web interface by default. MC supports creating a keyring (private key), signing requests, and importing signed certificates. It also supports importing private keys and signed certificates created off-box.
Note: Using self-signed certificates, customers will receive a browser errors complaining about the untrusted certificate unless that certificate is imported to the browser.
This procedure also applies Reporter versions 10.6 and Reporter 11.
Cause
All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since Management Center's default certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.
Resolution
Note: We suggest creating a temporary keyring such as "sslkey". Once you understand the overall process of the steps below, you can overwrite the keyring and certificate named "default".
In the example below, we will use a temporary keyring named "sslkey" to illustrate the steps of creating a keyring, signing request, and importing a signed certificate.
Create new keyring named "sslkey" on MC
conf tsslcreate keyring sslkey algorithm rsa length 2048 showable yesCreate certificate signing-request (CSR) for keyring "sslkey"
create signing-request sslkey subject C=US,ST=CA,O=Symantec,CN=mc.company.com alternative-names x.x.x.xView signing-request for keyring "sslkey"
view signing-request sslkeyconf tssl inline certificate sslkey(follow instruction on SSH screen)view keyring sslkey view keypair sslkeyview certificate sslkeyconf tsslinline keyring default showable yesinline certificate defaultinline ca-certificate internal_root_caedit ccl browser-trustedadd internal_root_ca
Additional Information
- MC presents the keyring named "default" when accessing the web management console which needs to be overwritten with new information if you wish to create a signed certificate.
- Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.
- "Default" certificate should be generated with a 2048 bit or higher RSA key, and should use the SHA2 hashing algorithm.
- When pasting certificate, use only one Carriage Return after the "-----END CERTIFICATE-----" line before entering ctrl-D to avoid the error message "% invalid format for certificate".
- MC only accepts PEM formats. It can also accept encrypted private keys. Openssl can be used to convert or extract other certificate formats to PEM (e.g. to convert PFX certificates to PEM use
$ openssl pkcs12 -in sslkey.pfx) - Getting the error "% certificate does not match keyring" indicates the signed certificate does not match the private key. In this situation, you can verify modulus of your RSA private key and signed certificate using openssl from the CLI:
openssl rsa -noout -modulus -in <your private key> | openssl md5openssl x509 -noout -modulus -in <signed certificate> | openssl md5$ openssl rsa -noout -modulus -in sslkey7.key | openssl md5(stdin)= 57a035f99570b76612483735a146efa5
$ openssl x509 -noout -modulus -in sslkey7.pem | openssl md5(stdin)= 57a035f99570b76612483735a146efa5
$ grep BEGIN sslkey7.key sslkey7.pemsslkey7.key:-----BEGIN PRIVATE KEY-----sslkey7.pem:-----BEGIN CERTIFICATE-----
- To include other attributes in the CSR fields, please refer to the command below as a guide:
MgmtCtr(config-ssl)# ssl create signing-request sslkey subject "C=US,ST=CA,OU=IT,L=New York,O=Example Company,CN=managementcenter.local,[email protected]" alternative-names x.x.x.x
Feedback
