cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Field Notice 70545
7626
Views
18
Helpful
11
Replies
dbrown
Beginner

Importing CIMC SSL Server Certificate using internal CA

We have to replace the self-signed SSL certificates that come with our C220-M3 CIMC with some server certificates from our internal CA server.  Is it possible to do this?  I tried importing the certificates, but an error was generated stating that the certificate couldn't be validated.  I assuming that the cause of this error is the fact that the CIMC doesn't recognize our internal CA as an authority server.  If this is so, then how can I import my CA's certificate in order to recognize it as an authority server?

11 REPLIES 11
padramas
Cisco Employee

Hello David,

We should be able to import certificate signed by CA. Can you please try following steps and let me know the outcome ?

http://www.cisco.com/en/US/docs/unified_computing/ucs/c/sw/gui/config/guide/1.4.1/b_Cisco_UCS_C-Series_GUI_Configuration_Guide_141_chapter_01011.html

What is the certificate format and do you have trust chain to your internal CA ?

Padma

Does Anyone know if you can use 2048 encryption instead of 1024? Our CA is only accepting 2048 CSRs. Thanks

Hello Edwin,

I checked latest version ( 1.5.1 )  of CIMC and CSR is generated with 1024 key size.

The feature request for higher key size is tracked via

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud45759

I will check if there are any work around.

Padma

Hi Padma

Is there any update to this thread?  I have also just gotten burnt by this bug - purchased a (relatively cheap) SSL certificate for it only to find that the CSR isn't accepted because the key length isn't sufficient.

I also have a wildcard certificate but that isn't able to be imported either - so I'm a bit stuck in both ways.

Seems the certificate handling is not very fully featured.  Are there plans to address either of these two issues?

Thanks,

Reuben

 

Nope, still not working, checked with the latest version for C220 (1.5.4e) today .....

Why is the status set to "fixed" ????

...and more importantly, which versions is it "fixed in" ?  The bug page lists no versions.

Does TAC have access to supply a version with this fix?

I will follow up with Development Team and get back 

Thanks,

Vishal Mehta

Cisco TAC

Any update on this yet? I see ver.2.0(1a) is out now but can't see anything in the release notes about the key length. I'd appreciate of someone can confirm?

Thanks,

Johan

Hello All,

Sorry for the lack of clarity. 

The fix for defect CSCun04933 also address the issue described in CSCud45759

 

Following version of published firmware has the fix for these two defects

1.5.6 for M4 servers

2.0 for M3 servers

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/OL-32141-01.html#pgfId-616919

I have updated the defects and it should reflect the changes in few hours.

Thanks
Padma

Firmware - 1.5.6 has the fix. But it is only for C460 M4

 

For other C-Series platform we will have to wait for upcoming release 1.5.7x, which should be posted in the coming month.

 

 

Vishal Mehta
Beginner

I will follow up with Development Team and get back 

Thanks,

Vishal Mehta

Cisco TAC

Create
Recognize Your Peers
Content for Community-Ad