UCS Manager and using Microsoft Certificate Authority

Answered Question
Aug 18th, 2010
User Badges:

Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

Correct Answer by HAROLD MEIER about 6 years 11 months ago

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.


Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.


Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.


I hope that helps.


Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
HAROLD MEIER Wed, 08/18/2010 - 17:45
User Badges:

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.


Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.


Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.


I hope that helps.


Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

russ.givens Wed, 08/18/2010 - 22:07
User Badges:

I was trying to do as you suggested, but I guess my problem is I don't see how to get the root and subordinate CA's certificates pasted into the appropriate filed.  I download them from our Microsoft subordinate CA with a p7b file extension in Base64.  This contains the root, subordinate, and the certificate for the certificate request I submitted.  I just don't know how to take that and put it into the appropriate fields in UCS Manager.  There doesn't seem to be anything I can copy and paste.  On a windows machine it's a matter of double clicking and placing the certificates in the appropriate stores.


Thanks for your help.

HAROLD MEIER Thu, 08/19/2010 - 08:16
User Badges:

It's the p7b format that's stopping you. That format compresses the certificate chain into one string. Instead, export each individual CA as a separate x.509 .cer file, then copy and paste those in series.

russ.givens Mon, 08/23/2010 - 15:52
User Badges:

That worked very well.  Thanks a lot for the help.  I don't have any certificate errors in my web browser which indicates that the certificate works just fine.  Java complained about the certificate and I had to manually add the certificate for the subordinate / issuing CA, which is lame, but it works now.

Actions

This Discussion