Replace Management Center HTTPS SSL default keyring with certificate issued by a Microsoft Certification Authority server
search cancel

Replace Management Center HTTPS SSL default keyring with certificate issued by a Microsoft Certification Authority server

book

Article ID: 261803

calendar_today

Updated On:

Products

Management Center - VA Management Center

Issue/Introduction

Customer want to generate a CSR for the default SSL keyring on Management Center so it can replace it with own self-signed certificate by it's Certificate Authority

Environment

Release :

Cause

Issues in following the SSL keyring creation

Resolution

BACKUP EXISTING MANAGEMENT CENTER CONFIGURATION
 

Before any changes done on the Management Center please take a Backup on version 3.x via GUI going to MC > Configuration > Backup Management or via CLI:

MC > enable

MC # backup create

MC# backup view

Find the number of your last backup

MC# backup export <index#> scheme://ip/path passphrase <your_desired_passphrase> username <file_server_username>  password <<hit enter to be prompted to enter your server password>>

EXAMPLE: Management Center# backup export 1 scp://10.16.101.182/home/leo/mc passphrase mydesiredpassphrase username myusername password mypassword

 

REPLACE SSL DEFAULT KEYRING

 

Sample machines hostnames that are resolved by DNS:

Windows Server CA: dc.yourdomain.local  |   MC: mc.yourdomain.local (192.168.1.30)  |  Terminal PC is under same Active Directory

 

01. Open a SSH connection to your Management Center instance

02. Go to SSL configuration and create a CSR for the default SSL keyring

MC> enable

MC# configure terminal

MC (config)# ssl

MC (config-ssl)# create signing-request default subject C=US,ST=CA,O=YourOrganization,CN=mc.yourdomain.local alternative-names 192.168.1.30,mc.yourdomain.local

NOTE: Common name should reflect the hostname or FQDN of the Management Center ex. mc.yourdomain.com. Add Subject Alternative Names like IP and hostname.

Complete the form, paying close attention to the Common Name field. This should be a hostname or FQDN that resolves to the MC appliance from outside of your protected network. This is the first step in ensuring that Internet-based browsers can trust the certificate the appliance presents.

 

03. View the generated signing-request and copy the CSR for signing with the local domain controller

MC (config-ssl)# view signing-request default

 

-----BEGIN CERTIFICATE REQUEST-----

[...]

LBlY3B15/Vv3qtjsGSsmn9oWvkrEbL1c/f29LBcB0F6XqpnavUrIlLt79inLHZFx

3QRKTPDs2JLJYfzJaBY7m6oRYVZ1NleFcK1oMyFVGLCVkw4=

-----END CERTIFICATE REQUEST-----

 

04. Save this text in a file and give it a name such as mgmt.csr. Click Close.

Complete the following steps using Internet Explorer:

05. In Internet Explorer, open the URL of the Mirosoft Certificate Authority server. Generally, the default URL is http://server/certsrv   (in our ex. dc.yourdomain.local/certsrv)

06. Click Request a certificate.

07. Click advanced certificate request.

08. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file.

09. (Optional)  You may be prompted to install "Microsoft Certificate Enrollment Control ActiveX".  Click Accept and continue.

10. In the Saved Request field, copy the CSR created above on the Management Center. Select Web Server  for the Certificate Template. Click Submit.

NOTE: Please do not use the subordinate certification template

 

11. Depending on the configuration of the CA, you may be issued a certificate immediately, or it may need to be approved by an admin. Once approved, select Base 64 encoded and Download certificate.

Save the certificate as mc.cer on your desktop

Ex.

-----BEGIN CERTIFICATE-----

[...]

2ZPnvprOiN16e8IqRMTvgdW7tIVbdiDIAvx7iw969v9rXezFmWV6haKFHbh0aA/p

BdhMAI2WuFbuNmh58SpFOWqwp/UzBXGoBhWFnJmtGaLIk28=

-----END CERTIFICATE-----

 

12. Click Home in the top right corner of the page to get back to Home of Certificate Authority Server

13. Click Download a CA certificate, certificate chain, or CRL (your domain ROOT_CA)

14. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate. 

 

Complete the following steps on the Management Center CLI:

 

15. Copy the contents of generated Management Center certificate (mc.cer)

 

MC (config-ssl)# ssl inline certificate default

Replace: yes

 

16. To view keyring information under (config-ssl) prompt 2

MC (config-ssl)# view keyring default

Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.

 

17. To import root and/or intermediate ca ROOT_CA under (config-ssl) prompt 3

MC (config-ssl)# inline ca-certificate internal_root_ca

18. Add ROOT_CA to trusted certificates

MC (config-ssl)# edit ccl browser-trusted

MC (config-ccl-browser-trusted)# add internal_root_ca

MC (config-ccl-browser-trusted)# exit

MC (config)# exit

MC#

 

19. Reboot the GUI from CLI

MC# system-services stop management-center
MC# system-services start management-center
MC# system-services status management-center

 

20.Certificate should be already used by the Management Center. Open a new browser window or clear the cache in Browser to see the difference.

21. Open the MC URL with the hostname used (in this example Internet Explorer was used which has all the root SSL cert from Certificate Authority). 

 

 

22. If the Certificate shows untrusted on your PC/browser it means that you need to install the organization Root CA, intermediate cert (optional) or proxysg certificate (optional) on the client PC. Make sure the URL cert is trusted in browser or there will be an issue presented with certification signed by your root Certificate Authority (ex. NET::ERR_CERT_COMMON_NAME_INVALID)

IMPORTANT: Make sure that the certs (rootCA, ManagementCenterCA) are also put in the store “Trusted Root Certification” Authorities on the PC and the browser trusts your CA

https://www.wipo.int/pct-eservices/en/support/cert_import_backup_edge.html  

 

NOTE: Your own CA is not a public, trusted root certification authority like Digicert, Globalsign etc. so it's normal that the site is by default in local envirionment is presented as insecure. The self-signed certificate and root CA is not trusted by the client PC/browser by default unless your terminals are configured trust them forcefully.

Additional Information

MORE:

Creating a Certificate Signing Request (CSR) and importing signed certificate in Management Center 2.x
https://knowledge.broadcom.com/external/article/171802/creating-a-certificate-signing-request-c.html 

Create keypair and import signed certificate in Management Center
https://knowledge.broadcom.com/external/article/184735/create-keypair-and-import-signed-certifi.html