Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

hudson8

98 Posts

121228

March 26th, 2013 20:00

replace the SSL certificate in Dell OMSA 7.2

My university is requiring me to replace the Dell SSL certificate in OMSA with a certificate from a CA.  We are using InCommon.

I generated a certificate request using Microsoft IIS,.  InCommon generated the certificate and  sent me back links to a variety of formats.

 as PKCS#7 Base64 encoded:
    Other available formats:
       as PKCS#7 Bin encoded:
       as X509, Base64 encoded: 
       as X509 Certificate only, Base64 encoded:
       as X509 Intermediates/root only, Base64 encoded:
       as X509 Intermediates/root only Reverse, Base64 encoded

Does anyone know what kind of certificate I need, and exactly how to install it in the apache server that runs Dell OMSA.

hudson8

98 Posts

April 7th, 2013 14:00

OK.  I have an answer.

As far as I can tell, the Dell OMSA interface itself does not work for importing intermediate certificates (returns an error) and can't be used to create a useful CSR (signing request) because you can't specify your own institutional parameters. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would import new certificates (which it appears to fail at).

The easiest approach is to generate a CSR in Windows IIS, receive the authenticated certificate back from your CA, then export everything to a .pfx file (private key, end-entity certificate, intermediate and root certificates, extended attributes).

Use IBM's tool called keyman (download from www.ibm.com/developerworks).  Use the Windows version.

This can convert a .pfx file into an apache keystore in 3 easy steps.  1. Create a new keystore

2. Import the .pfx file 3.save the keystore.

Hints on the internet suggest keeping all the passwords the same-- pfx export, keystore, key, etc.

Edit the server.xml file in the apache server to use your new passwords.

Only downside is that your password will be text readable in the server.xml file.  In the original server.xml file Dell used system or java tools to hide the passwords.

DELL-Geoff P

990 Posts

March 27th, 2013 11:00

The certificates need to be in Base64 format.  To leverage a certificate from their CA, they will need to create a CSR from within the OMSA web interface.  This can be accessed through the Preference home page, then click the General Settings, click the Web Server tab, and then click on X.509 Certificate.

To create a CSR, leverage the Certificate Maintenance wizard.  Once the CSR has been created and submitted to the CA, the issued cert can be imported using the Import a certificate chain option.  This will ask for the issued certificate and a certificate for the issuing CA.

There  is a brief explanation of the X.509 Certificate Management options on Page: 39 of the OpenManage Server Administrator 7.2 User’s Guide, found here:

ftp://ftp.dell.com/Manuals/all-products/esuprt_electronics/esuprt_software/esuprt_ent_sys_mgmt/dell-opnmang-srvr-admin-v7.2_User%27s%20Guide_en-us.pdf

Regards,

hudson8

98 Posts

April 2nd, 2013 20:00

OK.  I have my certificate.  I looked at the documentation you referenced.  It is not helpful.  p24 (the reference to SSL certificates) seems to apply to remote enablement-- I'm not using that.   In fact, when I run the prerequisites for the OMSA install, it says that HTTPS listener is not installed, and asks if I want to install.  I say yes, but nothing happens.

But this does not affect OMSA

OMSA works fine, and is using a self-signed certificate which I'm trying to replace.

There are two available formats for Base64 encoded certificate that I can download from InCommon.

Certificate only, and Intermediate/root only.  I am logged in as local administrator.  I've tried both, but they both give me

an error.

ERROR! Import of dell.cer failed. Try again.

As a test, I exported the existing self-signed certificate, and tried to import that.  As root certificate and then as chain certificate.

Same error.  Also exported a working certificate from IIS on this server (.pfx format)

That would not import either.

Doesn't the inability to import the existing certificate imply that something is wrong with the interface for certificate management?  Have you actually succeeded in this.

Do you know how to do this using OpenSSL at the level of the Apache server?

Or where the error log is for OMSA certificate management.

Thank you.

Triplecrown

4 Posts

January 7th, 2014 12:00

I have just installed the OpenManage application and am also having trouble with SSL based hw monitoring.  Initially the certificate generated during installation specified the local machine name rather than the external domain name, although I was able to generate a new certificate once logged into OpenManage.  However, I cannot seem to find many browsers that will cooperate ; only some versions of IE8.  It would be nice if the OpenManage web UI would be compatible with Safari or Firefox also, not just IE.

hudson8

98 Posts

January 7th, 2014 14:00

Right. We gave up importing the correct certificates into OMSA every time we updated the version- the process is too complicated. I can't remember, now, back to when it worked. Is the issue related to using an IP address instead of a URL for the machine that is running the Apache web server? You've probably looked at that, so I guess that is not the problem.

Triplecrown

4 Posts

January 7th, 2014 14:00

Actually, I am finding that the very limited browser support is far more problematic than SSL certificate issues (SSL certificate issues can usually be worked around with various browser combos, that in this case, are not an option).

View More

View All

No Events found!

Top