重新申请UCSM自签名证书UCS会重启吗？

leimin fan · ‎06-12-2014

本帖最后由 fanleimin 于 2014-6-13 10:11 编辑
最近发现UCSM的自签名证书过期了,如下图：

网上查了一下，好像重新申请一个自签名证书UCS并不会重启，只是GUI界面暂时连接不到，请各位大牛鉴定一下。
申请方式如下：
The default (self-signed) UCSM keyring certificate must be manually regenerated if the cluster name changes or the certificate expires (it is valid for one year).
Affected object: sys/pki-ext/keyring-defaultDescription: default Keyring's certificate is invalid, reason: expiredCause: invalid-keyring-certificateCode: F0910

Here is what needs to be done:

Make sure Fabric Interconnects have correct time settings, preferably configured to synchronise time with a NTP server(s). UCSM – Admin – All – Timezone Management;
SSH to UCS Manager cluster IP address and login as an administrator user;
Issue the following commands:

VFC01-A# scope security

VFC01-A /security # scope keyring default

VFC01-A /security/keyring # set regenerate yes

VFC01-A /security/keyring* # commit-buffer
N.B. After you issue ‘commit-buffer‘ command, all GUI sessions will be disconnected;
After a couple of minutes, validate new certificate:

VFC01-A /security/keyring # scope security

VFC01-A /security # show keyring detail

Keyring default:

RSA key modulus: Mod1024

Trustpoint CA:

Cert Status: Valid
Open web browser, connect to UCSM cluster IP address and accept the certificate warning. BTW, It might be a good idea to look into getting a CA-signed certificate…

Mozilla Firefox users: Should you have any problems with new certificate, go to Tools – Options – Advanced – Encryption – View Certificates and delete old/expired UCSM certificates.

EMC UIM/P users: New certificate needs to be exported from UCSM and imported into UIM/P.

http://www.vstrong.info/2012/12/05/how-to-regenerate-expired-ucs-manager-certificate/