Create keypair and import signed certificate in Management Center
search cancel

Create keypair and import signed certificate in Management Center

book

Article ID: 184735

calendar_today

Updated On:

Products

Management Center Reporter-VA Reporter-S500

Issue/Introduction

Management Center (MC) uses the self-signed certificate on the management web interface by default.     MC version 2.x and above supports creating keyring (private key), signing-request and importing signed certificate.   It also support importing private key and signed certificate created off-box.   

Note:  commands presented on this article is applicable on 2.x and 3.x. 

With self-signed certificate the customer gets the browser error complaining about the untrusted certificate

Same procedure applies Reporter versions 10.6 and  Reporter 11 

Cause

All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since Management Center default certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.

Resolution

Note: Suggest to create  temporary keyring such as "sslkey" or any name you prefer.  Once you understood the overall process of given steps below, you can easily overwrite the keyring and certificate named "default" 

Creating keyring, signing-request and importing signed certificate 1  .   On this example, we will use a temporary keyring named "sslkey".   

 
Create new keyring named "sslkey" on MC 
 
conf t
ssl
create keyring sslkey algorithm rsa length 2048 showable yes
 
Create certificate signing-request (CSR) for keyring "sslkey"
 
create signing-request sslkey subject C=US,ST=CA,O=Symantec,CN=mc.company.com alternative-names x.x.x.x
 
View signing-request for keyring "sslkey"
 
view signing-request sslkey
 
 
Once CSR signed by your internal PKI server (use the "Web Server" template on Microsoft CA),  import the signed certificate 
 
conf t
ssl 
inline certificate sslkey
(follow instruction on SSH screen)
 
To view keyring information under (config-ssl) prompt 2
 
view keyring sslkey 
 
To view private key on MC - Copy to use later in the inline keyring default step
 
view keypair sslkey
 
To view certificate - Copy to use later in the inline certificate default ​step
   
view certificate sslkey
 
 A private key and signed certificate created off box can also be imported to MC.   
 
Note that  example below will overwrite the "default" certificate
 
conf t
ssl
inline keyring default showable yes
(follow instruction on SSH screen pasting the private key collected in the view keypair sslkey step)
 
inline certificate default
(follow instruction on SSH screen pasting the public key collected in the view certificate sslkey ​step)
 
Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.
 
To import root and/or intermediate ca under (config-ssl) prompt 3
 
inline ca-certificate internal_root_ca
(follow instruction on screen)
 
edit ccl browser-trusted
add internal_root_ca
 

 

Additional Information

 
- MC presents the keyring named "default" when accessing the web management console on which needs to be overwritten with new information if you wish to create a signed certificate.  
- Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.4
- "Default" certificate should be generated with a 2048 bit or higher RSA key, and should use the SHA2 hashing algorithm.
-  When pasting certificate, only one Carriage Return  after "-----END CERTIFICATE-----"  prior ctrl-D to avoid  error message  "% invalid format for certificate".    
- MC only accepts PEM formats, it can accept encrypted private key.   Tip:   openssl can be used to convert or extract other certificate formats to PEM (e.g.  to view  (PEM) certificates from PFX   >  $openssl pkcs12 -in sslkey.pfx)
- "% certificate does not match keyring" indicates the signed certificate does not match the private key.   On this situation, you can verify modulus of your RSA private key and signed certificate using openssl 
 
 
openssl rsa -noout -modulus -in <your private key> | openssl md5
openssl x509 -noout -modulus -in <signed certificate> | openssl md5
 
e.g.

$openssl rsa -noout -modulus -in sslkey7.key | openssl md5
(stdin)= 57a035f99570b76612483735a146efa5

$openssl x509 -noout -modulus -in sslkey7.pem | openssl md5
(stdin)= 57a035f99570b76612483735a146efa5

$grep BEGIN sslkey7.key sslkey7.pem
sslkey7.key:-----BEGIN PRIVATE KEY-----
sslkey7.pem:-----BEGIN CERTIFICATE-----

- To include other attributes to the CSR fields, please refer to the below, as a guide.

MgmtCtr(config-ssl)# ssl create signing-request sslkey subject "C=US,ST=CA,OU=IT,L=New York,O=Example Company,CN=managementcenter.local,[email protected]" alternative-names x.x.x.x

 

Powered by Wolken Software