cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5593
Views
0
Helpful
5
Replies

UCS Manager and using Microsoft Certificate Authority

russ.givens
Level 1
Level 1

Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

1 Accepted Solution

Accepted Solutions

HAROLD MEIER
Level 1
Level 1

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

View solution in original post

5 Replies 5

HAROLD MEIER
Level 1
Level 1

First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.

Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.

Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.

I hope that helps.

Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

I was trying to do as you suggested, but I guess my problem is I don't see how to get the root and subordinate CA's certificates pasted into the appropriate filed.  I download them from our Microsoft subordinate CA with a p7b file extension in Base64.  This contains the root, subordinate, and the certificate for the certificate request I submitted.  I just don't know how to take that and put it into the appropriate fields in UCS Manager.  There doesn't seem to be anything I can copy and paste.  On a windows machine it's a matter of double clicking and placing the certificates in the appropriate stores.

Thanks for your help.

It's the p7b format that's stopping you. That format compresses the certificate chain into one string. Instead, export each individual CA as a separate x.509 .cer file, then copy and paste those in series.

That worked very well.  Thanks a lot for the help.  I don't have any certificate errors in my web browser which indicates that the certificate works just fine.  Java complained about the certificate and I had to manually add the certificate for the subordinate / issuing CA, which is lame, but it works now.

I do not see "Trusted Point" dropdown under "Certificate" field after submitting SSL certificate request.I do have one trusted point created for the keyRing and also I have selcted the same keyRing under "Communication Services", can you please help in this ? Please find attached screenshot for your reference.

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card