Create keypair and import signed certificate in Management Center

book

Article ID: 184735

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

Management Center (MC) uses the self-signed certificate on the management web interface by default.     MC version 2.x and above supports creating keyring (private key), signing-request and importing signed certificate.   It also support importing private key and signed certificate created offbox.   

Note:  commands presented on this article is applicable on 2.x and above.   For version 1.11.x or below, please see article TECH248505  

With self-signed certificate the customer gets the browser error complaining about the untrusted certificate

Cause

All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since Management Center default certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.

Resolution

Creating keyring, signing-request and importing signed certificate. 1   On this example, we will use a keyring named sslkey.   

 
Create new keyring named "sslkey" on MC 
 
conf t
ssl
create keyring sslkey algorithm rsa length 2048 showable yes
 
Create certificate signing-request (CSR) for keyring "sslkey"
 
create signing-request sslkey subject "C=US,ST=CA,O=Symantec,CN=mc.company.com alternative-names 192.168.100.20"
 
View signing-request for keyring "sslkey"
 
view signing-request sslkey
 
 
Once CSR signed by your internal PKI server,  import the signed certificate 
 
conf t
ssl 
inline certificate sslkey
(follow instruction on SSH screen)
 
To view keyring information under (config-ssl) prompt 2
 
view keyring sslkey 
 
To view private key on MC - Copy to use later in the inline keyring default step
 
view keypair sslkey
 
To view certificate - Copy to use later in the inline certificate default ​step
   
view certificate sslkey
 
 A private key and signed certificate created off box can also be imported to MC.   
 
Note that  example below will overwrite the "default" certificate
 
conf t
ssl
inline keyring default showable yes
(follow instruction on SSH screen pasting the private key collected in the view keypair sslkey step)
 
inline certificate default
(follow instruction on SSH screen pasting the public key collected in the view certificate sslkey ​step)
 
Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.
 
To import root and/or intermediate ca under (config-ssl) prompt 3
 
inline ca-certificate internal_root_ca
(follow instruction on screen)
 
edit ccl browser-trusted
add internal_root_ca
 
 
Notes:  
MC presents the keyring named "default" when accessing the web management console on which needs to be overwritten with new information if you wish to create a signed certificate.  
Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.4