Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UCS Manager and using Microsoft Certificate Authority

Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: UCS Manager and using Microsoft Certificate Authority

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

4 REPLIES
New Member

Re: UCS Manager and using Microsoft Certificate Authority

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

New Member

Re: UCS Manager and using Microsoft Certificate Authority

I was trying to do as you suggested, but I guess my problem is I don't see how to get the root and subordinate CA's certificates pasted into the appropriate filed.  I download them from our Microsoft subordinate CA with a p7b file extension in Base64.  This contains the root, subordinate, and the certificate for the certificate request I submitted.  I just don't know how to take that and put it into the appropriate fields in UCS Manager.  There doesn't seem to be anything I can copy and paste.  On a windows machine it's a matter of double clicking and placing the certificates in the appropriate stores.

Thanks for your help.

New Member

Re: UCS Manager and using Microsoft Certificate Authority

It's the p7b format that's stopping you. That format compresses the certificate chain into one string. Instead, export each individual CA as a separate x.509 .cer file, then copy and paste those in series.

New Member

Re: UCS Manager and using Microsoft Certificate Authority

That worked very well.  Thanks a lot for the help.  I don't have any certificate errors in my web browser which indicates that the certificate works just fine.  Java complained about the certificate and I had to manually add the certificate for the subordinate / issuing CA, which is lame, but it works now.

2108
Views
0
Helpful
4
Replies
CreatePlease to create content