Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5272
Views
0
Helpful
5
Replies

UCS Manager and using Microsoft Certificate Authority

Go to solution
russ.givens
Level 1
Level 1

‎08-18-2010 03:43 PM - edited ‎03-01-2019 09:42 AM

Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
HAROLD MEIER
Level 1
Level 1

‎08-18-2010 05:45 PM

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

View solution in original post

0 Helpful
5 Replies 5

Go to solution
HAROLD MEIER
Level 1
Level 1

‎08-18-2010 05:45 PM

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

0 Helpful

Go to solution
russ.givens
Level 1
Level 1
In response to HAROLD MEIER

‎08-18-2010 10:07 PM

I was trying to do as you suggested, but I guess my problem is I don't see how to get the root and subordinate CA's certificates pasted into the appropriate filed.  I download them from our Microsoft subordinate CA with a p7b file extension in Base64.  This contains the root, subordinate, and the certificate for the certificate request I submitted.  I just don't know how to take that and put it into the appropriate fields in UCS Manager.  There doesn't seem to be anything I can copy and paste.  On a windows machine it's a matter of double clicking and placing the certificates in the appropriate stores.

Thanks for your help.

0 Helpful

Go to solution
HAROLD MEIER
Level 1
Level 1
In response to russ.givens

‎08-19-2010 08:16 AM

It's the p7b format that's stopping you. That format compresses the certificate chain into one string. Instead, export each individual CA as a separate x.509 .cer file, then copy and paste those in series.

0 Helpful

Go to solution
russ.givens
Level 1
Level 1
In response to HAROLD MEIER

‎08-23-2010 03:52 PM

That worked very well.  Thanks a lot for the help.  I don't have any certificate errors in my web browser which indicates that the certificate works just fine.  Java complained about the certificate and I had to manually add the certificate for the subordinate / issuing CA, which is lame, but it works now.

0 Helpful

Go to solution
sugam.vora@crestdatasys.com
Level 1
Level 1
In response to HAROLD MEIER

‎05-28-2018 04:37 AM

I do not see "Trusted Point" dropdown under "Certificate" field after submitting SSL certificate request.I do have one trusted point created for the keyRing and also I have selcted the same keyRing under "Communication Services", can you please help in this ? Please find attached screenshot for your reference.

Preview file
25 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card