Skip to main content
Start a Conversation

Unsolved

ikroumov

5 Posts

17649

November 5th, 2018 08:00

Replace DellEMC OpenManage Enterprise self signed certificat

Hello

I have deployed DellEMC OpenManage Enterprise 3.0 build 990 into the environment.

One of the security requirements is to have the self signed certificate to be replaced with a real certificate.

 What i did so far, without any success is being generated on external Linux machine:

1. I generated 2048 key 

2. Generated a configuration file which has these configuration parameters. (Server specific names and Identifiers have been removed)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = xxx

 

3. Received the cer file and extracted the servers cert  (1.cer), the intermediate cert (2.cer) and the root cert (3.cer) into Base64 format

4. On the external linux machine i compiled a file with the command

cat 1.cer initial_key_2048.key 2.cer 3.cer > all.cer

5. When I try to upload the "all.cer" file on the DOME machine I am getting an error:

OpenManage Enterprise

Error occurred while uploading SSL certificate

  • CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.

 

So far I have not been able to find any information into the documentation where I can read what are the required configuration steps, certificate type, etc in regards what DOME requires.

Is there any verified set of steps / certificate format tested out there where the exact steps required to replace the certificate are documented.

I have opened a support request with DellEMC support, however the support team is not very helpful 

Thank You

 

swants1234

2 Posts

June 18th, 2020 05:00

I guess I replied to this and maybe saw where I was experiencing similar issues the error code I am receiving is CSEC9002.

Olainen

37 Posts

February 17th, 2021 05:00

If you, on your (windows) computer, import the RootCA into "Trusted Root Certification Authorites", and if you have an intermediate ca, import that into "Trusted Intermediate Certification Authorites" it should be accepted and in your browser.

OME itself doesn't include roo/intermediate CA etc in the certificate it presents to your browser. But the includes the subject name of the issuer, and you have to have a trust on that one.

Michal C

1 Message

January 18th, 2022 07:00

 This issue seems to be still relevant so i am posting here a solution that worked for me.

Check your certificate template's key usage extensions.

It appears that the key encipherment must be enabled (option to allow key exchange only with key encryption) for dell openmanage to accept new cert. Otherwise i am getting the same error as you folks. 

There is no need to paste root/inter certs into the public cert file. Just use the public cert in ASCII format (base64) that was output by your CA.

 

dlome.jpg

Underphil

1 Message

February 13th, 2022 21:00

Sadly the clowns that work in Dell Technical support didn't exactly help here.

Solution for me was to boot the appliance with an alternative Linux distribution (I use systemrescuecd), mount the LVM root partition and replace the two files 'localhost.crt' and 'localhost.key' with the x509 wildcard cert and key respectively, which I already had signed before installing Openmanage..

For anyone still struggling with the garbage interface, this is the way I did it. Worked great.

dev-Phil

1 Message

June 8th, 2022 04:00

Thanks man!  This solution worked for me!

DidYouTurnThePowerOffThenOnAGain

1 Message

June 10th, 2022 12:00

Confirmed, this worked for me as well.

 

However 2 catches:

1) In replacing the certs offline, it breaks SELINUX because you can't reset the SELINUX attributes in 'offline mode', and HTTPD cannot access the certificates

2) If you have a self-signed CA, it needs to get loaded manually, because you can't simply run 'update-ca-trust'

 

Booted to linuxrecoverycd.iso (added CDROM to the CentOS7 VM):

 

mkdir /mnt/LVRoot
sudo mount /dev/OMCAppVG/LVRoot /mnt/LVRoot

find . -name localhost.crt

	* should find /mnt/LVRoot/etc/pki/tls/certs/localhost.crt

find . -name localhost.key

	* should find /mnt/LVRoot/etc/pki/tls/private/localhost.key

 

 

 

cd /mnt/LVRoot/tmp

smbclient /// -U 
cd Certificates/ExtractedP12InBase64
get cachain.cer
get server.cer
get server.key
exit

mv /mnt/LVRoot/tmp/cachain.cer /mnt/LVRoot/etc/pki/ca-trust/source/anchors/PrivateCAChain.crt
mv /mnt/LVRoot/tmp/server.cer /mnt/LVRoot/etc/pki/tls/certs/localhost.crt
mv /mnt/LVRoot/tmp/server.key /mnt/LVRoot/etc/pki/tls/private/localhost.key

vim /mnt/LVRoot/etc/pki/ca-trust/source/anchors/PrivateCAChain.crt
	ggVG
	y
	:q!
chmod 666 /mnt/LVRoot/etc/pki/ca-trust/extracted/pem/*.pem
vim /mnt/LVRoot/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
	P
	
		Bag Attributes
			friendlyName: 
		subject=/CN=
		issuer=/CN=
	
		# 
	
	
		Bag Attributes
			friendlyName: 
		subject=/CN=
		issuer=/CN=
	
		# 
	
	
	gg
	V

marbaa

2 Posts

November 3rd, 2022 07:00

Well, its end of 2022 and after 3 years there is still no support for ".,;-@#$%^&!*)(-+=<>?/:". Our company has dash in the name, our team has slash in the name. This is the first product I saw ever that it has such problems with certificates.

I gave up on getting green https icon in address bar for OpenManage.

McMac33

5 Posts

December 16th, 2022 01:00

I agree, this is very frustrating!

What ended up working for me was:

  • Application settings > Security > Certifications > Certificate Signing Request
    Had to use 2048 bit and not 4096 (otherwise the certificate would not work)
  • Now paste CSR in Microsoft active directory certificate services, generate and download base 64 cert.
  • Now upload the certificate into OME.

I did not use a wildcard SAN just ome.x.y.ca.

Ruchli

1 Message

December 13th, 2023 08:33

I was dealing with the same issue. In my case, I generate first a 4096 bits "Certificate Signing Request", copied the request code to our Microsoft PKI web interface and went through the wizard. At the end, I was able to download the certificate. My mistake was, that I downloaded the certificate in Microsoft default format, DER encoded instead of Base 64. As Base 64 encoded, the import at the Dell OpenManage Enterprise console worked fine.

sabel9579

1 Message

January 8th, 2024 18:05

Anyone know if this has been fixed yet.  My company has an & in the name and I'm pretty sure this is why the cert wont import.  Only application I have ever seen that has had this issue

DELL-Charles R

Moderator

 • 

3.4K Posts

January 8th, 2024 18:57

Hello,

 

What is the OME version you are using?

I will have to check in to this.

Could you please private message me any service tag for a server you may be managing with OME for me to include on my escalation?

View More

View All

No Events found!

Top