replacing the SSL certificate in Dell OMSA 7.2

OK.  I have an answer.

As far as I can tell, the Dell OMSA interface itself does not work for importing intermediate certificates (returns an error) and can't be used to create a useful CSR (signing request) because you can't specify your own institutional parameters. Our CA would not authenticate the CSR request generated by the Dell OMSA interface, even if it would import new certificates (which it appears to fail at).

The easiest approach is to generate a CSR in Windows IIS, receive the authenticated certificate back from your CA, then export everything to a .pfx file (private key, end-entity certificate, intermediate and root certificates, extended attributes).

Use IBM's tool called keyman (download from www.ibm.com/developerworks).  Use the Windows version.

This can convert a .pfx file into an apache keystore in 3 easy steps.  1. Create a new keystore

2. Import the .pfx file 3.save the keystore.

Hints on the internet suggest keeping all the passwords the same-- pfx export, keystore, key, etc.

Edit the server.xml file in the apache server to use your new passwords.

Only downside is that your password will be text readable in the server.xml file.  In the original server.xml file Dell used system or java tools to hide the passwords.

The other approach would be to use java keytool to create a new keystore, generate a CSR request, and import the certificate created by the CA (along with the CA's generic intermediate and root certificates) into the keystore also using keytool.  Much more complicated.

As for the initial question, the format is X509, base 64 for the end-entity certificate that the CA sends back to you.  The CA's generic intermediate and root certificates also need to be x509, Base64.

Here is the easiest way to do it.  Assuming you are running CA on your domain.

1. In Open Manager Server Administrator, click on Preferences.

2. Click on General Settings.

3. Click on X.509 Certificate 

4. Choose Certificate Maintenance and click Next button.

5. Choose Certificate Signing Request(CSR) from the dropdown list and click Next button.

6. Copy the text in the box. It should read -------BEGIN NEW.....--------

7. Go to your CA https://servername.domain.local/certsrv/ and click on Request a certificate.

8. Click on advanced certificate request..

9. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

10. Paste copied request (in step 6) and choose Web Server under Certificate Template.

11. Click on Submit button, click Yes on the message.

12. Click on Download certificate chain and save it. It should be certnew.p7b file.

13. Go back to Open Manager Server Administrator  and click X.509 Certificate link to go back to X.509 Certificate Management .

14. This time choose Import a certificate chain and click on Next button.

15. Click Browse, choose certnew.p7b file, click Open and click Import.

16. Click on Activate the new certificate button and click on Restart To Activate New Certificate button.

I see this is an ancient post by today standards, (I am running OMSA 8.2.0) but I just came across it today and it is a WONDERFUL thing.  Followed it and everything worked flawlessly on my Dell PowerEdge M610 UNTIL I clicked Import :-(  At that point I received an error:

HTTP Status 403 - Accessing resource:/FCDF2041BFCE4608/UploadCertServlet is forbidden in remote connection scenario.

type status report

message Accessing resource:/FCDF2041BFCE4608/UploadCertServlet is forbidden in remote connection scenario.

description access to the specified resource has been forbidden

apache tomcat/8.0.21

This is a problem, as the M610 lives in a Dell M1000e chassis and there isn't really any 'real' way to be directly on the system, all servers go through the kvm on the chassis.

Any assistance on getting around this would be HUGELY appreciated!

I am getting the same error on R710 when I use IE. Downloaded Chrome and it worked a charm from Chrome.

How crazy is that?  IE and Firefox are no-go, but Chrome does indeed install the certs.  Thank you, one less self-signed certificate vulnerability on the list to fix.