Customer want to generate a CSR for the default SSL keyring on Management Center so it can replace it with own self-signed certificate by it's Certificate Authority
Release :
Issues in following the SSL keyring creation
Before any changes done on the Management Center please take a Backup on version 3.x via GUI going to MC > Configuration > Backup Management or via CLI:
MC > enable
MC # backup create
MC# backup view
Find the number of your last backup
MC# backup export <index#> scheme://ip/path passphrase <your_desired_passphrase> username <file_server_username> password <<hit enter to be prompted to enter your server password>>
EXAMPLE: Management Center# backup export 1 scp://10.16.101.182/home/leo/mc passphrase mydesiredpassphrase username myusername password mypassword
REPLACE SSL DEFAULT KEYRING
Sample machines hostnames that are resolved by DNS:
Windows Server CA: dc.yourdomain.local | MC: mc.yourdomain.local (192.168.1.30) | Terminal PC is under same Active Directory
01. Open a SSH connection to your Management Center instance
02. Go to SSL configuration and create a CSR for the default SSL keyring
MC> enable
MC# configure terminal
MC (config)# ssl
MC (config-ssl)# create signing-request default subject C=US,ST=CA,O=YourOrganization,CN=mc.yourdomain.local alternative-names 192.168.1.30,mc.yourdomain.local
NOTE: Common name should reflect the hostname or FQDN of the Management Center ex. mc.yourdomain.com. Add Subject Alternative Names like IP and hostname.
Complete the form, paying close attention to the Common Name field. This should be a hostname or FQDN that resolves to the MC appliance from outside of your protected network. This is the first step in ensuring that Internet-based browsers can trust the certificate the appliance presents.
03. View the generated signing-request and copy the CSR for signing with the local domain controller
MC (config-ssl)# view signing-request default
-----BEGIN CERTIFICATE REQUEST-----
[...]
LBlY3B15/Vv3qtjsGSsmn9oWvkrEbL1c/f29LBcB0F6XqpnavUrIlLt79inLHZFx
3QRKTPDs2JLJYfzJaBY7m6oRYVZ1NleFcK1oMyFVGLCVkw4=
-----END CERTIFICATE REQUEST-----
04. Save this text in a file and give it a name such as mgmt.csr. Click Close.
Complete the following steps using Internet Explorer:
05. In Internet Explorer, open the URL of the Mirosoft Certificate Authority server. Generally, the default URL is http://server/certsrv (in our ex. dc.yourdomain.local/certsrv)
06. Click Request a certificate.
07. Click advanced certificate request.
08. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file.
09. (Optional) You may be prompted to install "Microsoft Certificate Enrollment Control ActiveX". Click Accept and continue.
10. In the Saved Request field, copy the CSR created above on the Management Center. Select Web Server for the Certificate Template. Click Submit.
NOTE: Please do not use the subordinate certification template
11. Depending on the configuration of the CA, you may be issued a certificate immediately, or it may need to be approved by an admin. Once approved, select Base 64 encoded and Download certificate.
Save the certificate as mc.cer on your desktop
Ex.
-----BEGIN CERTIFICATE-----
[...]
2ZPnvprOiN16e8IqRMTvgdW7tIVbdiDIAvx7iw969v9rXezFmWV6haKFHbh0aA/p
BdhMAI2WuFbuNmh58SpFOWqwp/UzBXGoBhWFnJmtGaLIk28=
-----END CERTIFICATE-----
12. Click Home in the top right corner of the page to get back to Home of Certificate Authority Server
13. Click Download a CA certificate, certificate chain, or CRL (your domain ROOT_CA)
14. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
Complete the following steps on the Management Center CLI:
15. Copy the contents of generated Management Center certificate (mc.cer)
MC (config-ssl)# ssl inline certificate default
Replace: yes
16. To view keyring information under (config-ssl) prompt 2
MC (config-ssl)# view keyring default
Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.
17. To import root and/or intermediate ca ROOT_CA under (config-ssl) prompt 3
MC (config-ssl)# inline ca-certificate internal_root_ca
18. Add ROOT_CA to trusted certificates
MC (config-ssl)# edit ccl browser-trusted
MC (config-ccl-browser-trusted)# add internal_root_ca
MC (config-ccl-browser-trusted)# exit
MC (config)# exit
MC#
19. Reboot the GUI from CLI
MC# system-services stop management-center
MC# system-services start management-center
MC# system-services status management-center
20.Certificate should be already used by the Management Center. Open a new browser window or clear the cache in Browser to see the difference.
21. Open the MC URL with the hostname used (in this example Internet Explorer was used which has all the root SSL cert from Certificate Authority).
22. If the Certificate shows untrusted on your PC/browser it means that you need to install the organization Root CA, intermediate cert (optional) or proxysg certificate (optional) on the client PC. Make sure the URL cert is trusted in browser or there will be an issue presented with certification signed by your root Certificate Authority (ex. NET::ERR_CERT_COMMON_NAME_INVALID)
IMPORTANT: Make sure that the certs (rootCA, ManagementCenterCA) are also put in the store “Trusted Root Certification” Authorities on the PC and the browser trusts your CA
https://www.wipo.int/pct-eservices/en/support/cert_import_backup_edge.html
NOTE: Your own CA is not a public, trusted root certification authority like Digicert, Globalsign etc. so it's normal that the site is by default in local envirionment is presented as insecure. The self-signed certificate and root CA is not trusted by the client PC/browser by default unless your terminals are configured trust them forcefully.
MORE:
Creating a Certificate Signing Request (CSR) and importing signed certificate in Management Center 2.x
https://knowledge.broadcom.com/external/article/171802/creating-a-certificate-signing-request-c.html
Create keypair and import signed certificate in Management Center
https://knowledge.broadcom.com/external/article/184735/create-keypair-and-import-signed-certifi.html