Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1539
Views
25
Helpful
3
Replies

Create UCSM Certificates with Subject Alternative Names

svillardi
Level 1
Level 1

‎04-29-2021 08:34 AM

Hi,

A security audit found that my UCS has a mismatched certificate.  The certificate includes the hostname (https://ucsm.domain.com) but not the subject alternative names of each fabric interconnect such as (https://ucsm-a.domain.com).

 

I think this can be done via CLI with a CSR created from an alternative config file, but I cannot understand the order.

 

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucs-manager/CLI-User-Guides/Admin-Management/4-1/b_Cisco_UCS_Manager_CLI_Administration_Mgmt_Guide_4-1/b_Cisco_UCS_Manager_CLI_Administration_Mgmt_Guide_4-1_chapter_0111.html

 

Any assistance would be very helpful.  Thank you.

 

3 Replies 3

Kirk J
Cisco Employee
Cisco Employee

‎04-29-2021 10:53 AM - edited ‎04-29-2021 11:08 AM

External CAs stopped signing certs that had references to anything internal a few years ago, and I think that may have contributed to the lack of Alt subject name support on devices recently.

There is an older enhancement request for this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh51173 

 

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.4.pdf page 77: 

CAs SHALL NOT issue certificates with a subjectAltName extension or
subject:commonName field containing a Reserved IP Address or Internal Name

 

Ran across some older MS posts on enabling it, but it seems like everyone considers SAN to generally be a security risk, so likely why the support for it is pretty spotty.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v=ws.10)

 

May also be, that because external CAs will reject certs with the internal SANs (that are typically referencing the internal names/IPs) that vendors like Cisco, didn't want to build in cert request generators that would potentially create non-standard cert requests.

Maybe a good enhancement would be to have a selection for "external CA compatible" and one for internal only, that allowed for SAN with multiple values.

 

Kirk...

svillardi
Level 1
Level 1
In response to Kirk J

‎04-29-2021 11:20 AM

Thank you for the reply, Kirk.  Is this still possible to do based on the documentation I provided in the Admin guide I referenced?

There is a section on Creating an Untrusted CA-Signed Certificate and Step 3 says:

 

openssl x509 -req -days 365 -in csr.txt -CA cert.pem -set_serial 04 -CAkey cert.private -out myserver05.crt -extfile openssl.conf

This command directs the CA to use your CSR file to generate a server certificate.

 

If this is a possible solution, will it work with SANs?  If it will, can you please give me a brief detail of the order to add the cert via command line?  I get very confused on the order of creating Key Rings and Trusted Points.

akirsuzu
Cisco Employee
Cisco Employee
In response to Kirk J

‎08-15-2021 08:46 PM

Hello Kirk.

 

Is it possible to remove the Critical mark of Subject alternative name when UCS Manager generates a CSR?

Without the Critical mark, the CA can ignore the value of Subject alternative name.

 

I look forward to your feedback.
Thank you.

Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card