Create keypair and import signed certificate in Management Center


Article ID: 184735


Updated On:


Management Center


Management Center (MC) uses the self-signed certificate on the management web interface by default.     MC version 2.x and above supports creating keyring (private key), signing-request and importing signed certificate.   It also support importing private key and signed certificate created offbox.   

Note:  commands presented on this article is applicable on 2.x and 3.x.   For version 1.11.x or below, please see article TECH248505  

With self-signed certificate the customer gets the browser error complaining about the untrusted certificate


All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since Management Center default certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.


Note: Suggest to create  temporary keyring such as "sslkey" or any name you prefer.  Once you understood the overall process of given steps below, you can easily overwrite the keyring and certificate named "default" 

Creating keyring, signing-request and importing signed certificate 1  .   On this example, we will use a temporary keyring named "sslkey".   

Create new keyring named "sslkey" on MC 
conf t
create keyring sslkey algorithm rsa length 2048 showable yes
Create certificate signing-request (CSR) for keyring "sslkey"
create signing-request sslkey subject "C=US,ST=CA,O=Symantec, alternative-names"
View signing-request for keyring "sslkey"
view signing-request sslkey
Once CSR signed by your internal PKI server,  import the signed certificate 
conf t
inline certificate sslkey
(follow instruction on SSH screen)
To view keyring information under (config-ssl) prompt 2
view keyring sslkey 
To view private key on MC - Copy to use later in the inline keyring default step
view keypair sslkey
To view certificate - Copy to use later in the inline certificate default ​step
view certificate sslkey
 A private key and signed certificate created off box can also be imported to MC.   
Note that  example below will overwrite the "default" certificate
conf t
inline keyring default showable yes
(follow instruction on SSH screen pasting the private key collected in the view keypair sslkey step)
inline certificate default
(follow instruction on SSH screen pasting the public key collected in the view certificate sslkey ​step)
Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.
To import root and/or intermediate ca under (config-ssl) prompt 3
inline ca-certificate internal_root_ca
(follow instruction on screen)
edit ccl browser-trusted
add internal_root_ca
MC presents the keyring named "default" when accessing the web management console on which needs to be overwritten with new information if you wish to create a signed certificate.  
Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.4