Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10636
Views
10
Helpful
11
Replies

UCS KVM Certificate

Go to solution
mattpickering
Level 1
Level 1

‎03-22-2017 04:06 PM - edited ‎03-01-2019 01:07 PM

Hi there - 

We have a UCS, running 3.1(2e) firmware.   I've been able to install an ssl certificate on the https interface, so I'm not getting certificate errors on the login, however I'm still looking for a way to install a trusted certificate on the KVM sessions.  I can't seem to find any way to install a trusted certificate there. 

Anyone? 


Matt

7 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Wes Austin
Cisco Employee
Cisco Employee

‎03-22-2017 06:20 PM

Hey Matt,

I don't think you can accomplish this with the CIMC KVM IP address, since it may change, and trusted certificates typically rely on the DNS name vs the IP address. The certificates are generated with ip-address in subjectName/SubjectAltName and there is no DNS entry mapping available.

We are moving towards the HTML5 KVM and it should be available within the next major release.

HTH,

Wes

View solution in original post

11 Replies 11

Go to solution
Wes Austin
Cisco Employee
Cisco Employee

‎03-22-2017 06:20 PM

Hey Matt,

I don't think you can accomplish this with the CIMC KVM IP address, since it may change, and trusted certificates typically rely on the DNS name vs the IP address. The certificates are generated with ip-address in subjectName/SubjectAltName and there is no DNS entry mapping available.

We are moving towards the HTML5 KVM and it should be available within the next major release.

HTH,

Wes

Go to solution
mattpickering
Level 1
Level 1
In response to Wes Austin

‎03-22-2017 06:24 PM

I see, that makes some sense.  An HTML solution would be great.  

In the mean time, is there some way to disable the need for a certificate then?  Java doesn't play well with untrusted certificates, as I'm sure you're aware...

Matt

0 Helpful

Go to solution
TRITInfrastructure
Level 1
Level 1
In response to Wes Austin

‎11-21-2017 03:56 AM

Hi Wes,

 

Do you have any update on if this is possible yet?

 

Thanks,

Tobias

0 Helpful

Go to solution
Wes Austin
Cisco Employee
Cisco Employee
In response to TRITInfrastructure

‎11-21-2017 04:43 AM

3.1.3 and 3.2 releases introduce HTML5 KVM. You can use that moving forward if it will work better for you.

Go to solution
TRITInfrastructure
Level 1
Level 1
In response to Wes Austin

‎11-21-2017 04:57 AM

Hi Wes,

 

I'm still getting the certificate error, see image here - https://i.imgur.com/ljhnLl0.png

 

I can't see anywhere that I can apply my own self signed certificate, is this possible?

 

Thanks,

Tobias

0 Helpful

Go to solution
Pom Ham
Cisco Employee
Cisco Employee

‎09-04-2018 07:35 AM

There have been some changes since last time you posted the inquiry.

For the m5 series, 3.2(2x) has the enhancement to add self-signed cert to the cimc. For the m4 and m3 blades, it requires 4.0 our latest firmware.
Please see the bug below.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva19420/?reffering_site=dumpcr
0 Helpful

Go to solution
joeharb
Level 5
Level 5
In response to Pom Ham

‎10-18-2018 10:34 AM

I am trying to apply a certificate for the CIMC on M4 blades.  We generated a Certificate from our CA as a .pfx.  I have exported both the key and the cert from the .pfx.  I attempted change the certificate but a major error rose "Remote-Invocation-Error: Cannot send x509 information to bmc".

Does anyone have an better information on how to apply a CA signed certificate to the CIMC, this continually shows up on our Audit Scans.

 

Thanks,

 

Joe

 

0 Helpful

Go to solution
Pom Ham
Cisco Employee
Cisco Employee
In response to joeharb

‎10-22-2018 06:32 AM

Hi Joe,

 

What is the server firmware? It requires 4.0 for m4 series to use self signed cert. Please take a read on the link above. 

0 Helpful

Go to solution
joeharb
Level 5
Level 5
In response to Pom Ham

‎10-22-2018 06:41 AM

We are running version 4.0(1a).  I have read the documentation, but I am not clear on the process of generating the certificate.  I had a certificate generated in a .pfx form.  I exported the certificate and key and attempted to load on a blade.  The CIMC wouldn't boot.  Is there a specific type or format the certificate has to be?

 

Thanks,

 

Joe

 

0 Helpful

Go to solution
joeharb
Level 5
Level 5
In response to Pom Ham

‎10-22-2018 08:59 AM

We were provided a .pfx certificate, I assume this will need to be converted the an x.509?  I am able to export the private key as I know the password but I have not been able to provided the proper format.

It appears the cert and key are mandatory...

Please advise,

 

Joe

 

Preview file
39 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card