UCS KVM SSL certificate

TRITInfrastructure · ‎11-13-2017

Hi there,

I've looked around to see if there's any documentation regarding the KVM SSL certificate however I can't seem to see anything, is this something that's even possible?

I've added a self signed cert to my UCS environment and can access the CIMC without any SSL warnings but can't see any way to stop the SSL warning for KVMs.

Thanks,

Tobias

fr.mueller · ‎12-08-2017

Hi,

back 2015 i ask a cisco engineer at vmworld about that. This was the response.

We spoke during VMworld and you asked me about how to update the certificate for UCSM KVM.

I’ve done some investigation and realised that we may have a challenge there. Currently we can't allow external certificates for KVM.

The root-cause of this issue is due to use of hard-coded certificates in Avocent KVM (which is the solution UCSM is using). It is the host which is doing certificate verification and UCSM cannot disable it.

At the moment UCSM doesn't support installing external CA signed certificates on CIMC of individual blade servers. The certificates are generated with ip-address in subjectName/SubjectAltName and there is no hostname/dns entry mapping available. So every time the ip-address is modified, we need to re-issue self-signed certificate. The same is not quite simple with external singed CA as we are not using hostname/dns to access server.

There is a case open at Cisco to get this fixed, but I don’t have a timeline yet as we are dependent on our partner Avocent.

Apologies if these are not the best news.

Please let me know if there is any other thing I can do for you.

No news about that

Frank

Pom Ham · ‎09-04-2018

There have been some updates since your last post.

For the m5 series, 3.2(2x) has the enhancement to add self-signed cert to the cimc. For the m4 and m3 blades, it requires 4.0 our latest firmware.
Please see the bug below.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva19420/?reffering_site=dumpcr