Skip to main content
Start a Conversation

Unsolved

ikroumov

5 Posts

17548

November 5th, 2018 08:00

Replace DellEMC OpenManage Enterprise self signed certificat

Hello

I have deployed DellEMC OpenManage Enterprise 3.0 build 990 into the environment.

One of the security requirements is to have the self signed certificate to be replaced with a real certificate.

 What i did so far, without any success is being generated on external Linux machine:

1. I generated 2048 key 

2. Generated a configuration file which has these configuration parameters. (Server specific names and Identifiers have been removed)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = xxx

 

3. Received the cer file and extracted the servers cert  (1.cer), the intermediate cert (2.cer) and the root cert (3.cer) into Base64 format

4. On the external linux machine i compiled a file with the command

cat 1.cer initial_key_2048.key 2.cer 3.cer > all.cer

5. When I try to upload the "all.cer" file on the DOME machine I am getting an error:

OpenManage Enterprise

Error occurred while uploading SSL certificate

  • CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.

 

So far I have not been able to find any information into the documentation where I can read what are the required configuration steps, certificate type, etc in regards what DOME requires.

Is there any verified set of steps / certificate format tested out there where the exact steps required to replace the certificate are documented.

I have opened a support request with DellEMC support, however the support team is not very helpful 

Thank You

 

VM_Master

2 Posts

November 30th, 2018 06:00

Same issue in our environment.
In which format should we import the certificate?

geruta

11 Posts

December 2nd, 2018 06:00

I've ran into the exact same problem myself.

 

I believe in my case it's an issue with Dell not allowing for commas in "Business Name" and "Department Name" fields of the certificate.

My business has a self signed portal but will only process CSRs or generate tickets that have the comma character in the Business name since its "My Company, LLC".

 

Do you my chance have a comma or any other non-standard characters in either the "Business Name" or "Department Name" fields?

dwatadventsol

37 Posts

January 3rd, 2019 00:00

I'm not sure you can upload a private key that way.  Try generating your certificate using the GUI and then getting the resulting CSR signed.

If you need to change the fields in the certificate I believe the CA can choose to overwrite those.  Certainly our private CA enforces certain settings by just overwriting what was requested in the CSR.  It shouldn't matter.  I believe you upload the certificate in DER format.

Joffer77

7 Posts

January 3rd, 2019 04:00

Did you try with key first before the certificate?

Anyway, I've got "the same" problem. I've got my certificate, my comany intermediate and my company rootCA. I made a chain, but get the same boring error:

"CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid"

So what is the correct certificate format, which include internal intermediate and rootCA? Documentation doesn't say much :(

pavel.begizardov

1 Message

April 30th, 2019 08:00

Got same issue. Is there any way to upload custom certificate into OM Ent?

mb.fischer

2 Posts

July 16th, 2019 08:00

I tried CER, PFX, DER Files and converted them in every possible way. No Chance.

 

@Anonymous: Can you please provide further information what format you want or/and how to change the self signed cert?

j-waterloo

3 Posts

July 18th, 2019 11:00

Same.

McMac33

5 Posts

August 8th, 2019 08:00

Has anyone found a solution to this yet?

Gaztelugatxe

1 Message

August 16th, 2019 15:00

it was dead simple when I did it last week.

On the appliance:
   Application Settings | Security | Certificates
   create the CSR

Upload the CSR to your CA of choice (I used digicert).

concatenate the server cert and the CA's Intermediate cert together:
  lin: cat server.pem chain.pem > server-chain.pem
  win: copy server.pem + chain.pem server-chain.pem
  or: just paste them together in your editor of choice

upload server-chain.pem to the appliance

* not all CAs have intermediate certs (also called a chain cert)
   if you don't have one, just the server cert will work
   you do not need to cat in the trusted root cert

server-chain.pem should look like this:
-----BEGIN CERTIFICATE-----
...multiple 64 byte long lines of base64 text...
...the last line will probably be shorter...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...multiple 64 byte long lines of base64 text...
...the last line will probably be shorter...
-----END CERTIFICATE-----

 

gatoken

8 Posts

August 22nd, 2019 12:00

We are trying to setup the certificates for our OME appliance, but when we put our Company into the Business Name field, it says CGEN60002. Our company name contains a comma such in Contoso, Ltd. Normally this can be solved by escaping the comma using \ or \\\ but it fails on your application. We are running the latest version.

Dell-DylanJ

2.9K Posts

August 22nd, 2019 14:00

Hello,

I had a conversation with one of our systems management escalation resources about your specific issue, Gatoken. He's actually working the same issue for another customer. He said that special characters are unsupported in the CSR. He had mentioned that this may go to engineering, so it could change in future releases. I just wouldn't necessarily plan on a specific update changing this until I see some documentation indicating that it is. We both looked for escape character possibilities, but didn't find anything of value.

From the manual:

"Do not use special characters or shift characters in the Organization or Organization Unit level. These characters are unsupported. This includes the following: “.,;-@#$%^&!*)(-+=<>?/:  "

EngA_DB

1 Message

September 17th, 2019 11:00

How about putting a web interface option to upload a PFX file to the appliance and let it sort out what it needs to do.

You know, for those of us that are not able to "linux", or already have certs like wildcards or purchased certs with the correct names and want to re-use them.

Chr_is0

1 Message

October 8th, 2019 06:00

Any updates on this?

Thanks

copenhaus

18 Posts

April 22nd, 2020 11:00

I think I found an aswer.

After the certificate is created by your Windows CA, download the cert as "p7b" format.  Then double-click on it, go to Certificates folder, double click on your portal's certificate, click on Details tab, click "Copy to File...", save it as "Base-64" format, then upload this file to the appliance.

swants1234

2 Posts

June 18th, 2020 00:00

I'm getting this issue.  When I generate the CSR using the webui it does appears to generate a 1024 bit request.  My CA requires that they be 2048 bit so unless I can generate offline.  Further more my CA will rewrite the organization and other fields (minus the common name) to conform with policy. I'm not really certain how I get around this issue.    Simply creating the PEM does not function for the appliance, but every other server I've done this for does not experience this problem.

View More

View All

No Events found!

Top