Unsolved
5 Posts
0
17649
Replace DellEMC OpenManage Enterprise self signed certificat
Hello
I have deployed DellEMC OpenManage Enterprise 3.0 build 990 into the environment.
One of the security requirements is to have the self signed certificate to be replaced with a real certificate.
What i did so far, without any success is being generated on external Linux machine:
1. I generated 2048 key
2. Generated a configuration file which has these configuration parameters. (Server specific names and Identifiers have been removed)
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = xxx
3. Received the cer file and extracted the servers cert (1.cer), the intermediate cert (2.cer) and the root cert (3.cer) into Base64 format
4. On the external linux machine i compiled a file with the command
cat 1.cer initial_key_2048.key 2.cer 3.cer > all.cer
5. When I try to upload the "all.cer" file on the DOME machine I am getting an error:
OpenManage Enterprise
Error occurred while uploading SSL certificate
- CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.
So far I have not been able to find any information into the documentation where I can read what are the required configuration steps, certificate type, etc in regards what DOME requires.
Is there any verified set of steps / certificate format tested out there where the exact steps required to replace the certificate are documented.
I have opened a support request with DellEMC support, however the support team is not very helpful
Thank You
swants1234
2 Posts
0
June 18th, 2020 05:00
I guess I replied to this and maybe saw where I was experiencing similar issues the error code I am receiving is CSEC9002.
Olainen
37 Posts
0
February 17th, 2021 05:00
If you, on your (windows) computer, import the RootCA into "Trusted Root Certification Authorites", and if you have an intermediate ca, import that into "Trusted Intermediate Certification Authorites" it should be accepted and in your browser.
OME itself doesn't include roo/intermediate CA etc in the certificate it presents to your browser. But the includes the subject name of the issuer, and you have to have a trust on that one.
Michal C
1 Message
1
January 18th, 2022 07:00
This issue seems to be still relevant so i am posting here a solution that worked for me.
Check your certificate template's key usage extensions.
It appears that the key encipherment must be enabled (option to allow key exchange only with key encryption) for dell openmanage to accept new cert. Otherwise i am getting the same error as you folks.
There is no need to paste root/inter certs into the public cert file. Just use the public cert in ASCII format (base64) that was output by your CA.
Underphil
1 Message
1
February 13th, 2022 21:00
Sadly the clowns that work in Dell Technical support didn't exactly help here.
Solution for me was to boot the appliance with an alternative Linux distribution (I use systemrescuecd), mount the LVM root partition and replace the two files 'localhost.crt' and 'localhost.key' with the x509 wildcard cert and key respectively, which I already had signed before installing Openmanage..
For anyone still struggling with the garbage interface, this is the way I did it. Worked great.
dev-Phil
1 Message
0
June 8th, 2022 04:00
Thanks man! This solution worked for me!
DidYouTurnThePowerOffThenOnAGain
1 Message
0
June 10th, 2022 12:00
Confirmed, this worked for me as well.
However 2 catches:
1) In replacing the certs offline, it breaks SELINUX because you can't reset the SELINUX attributes in 'offline mode', and HTTPD cannot access the certificates
2) If you have a self-signed CA, it needs to get loaded manually, because you can't simply run 'update-ca-trust'
Booted to linuxrecoverycd.iso (added CDROM to the CentOS7 VM):
I looked into the SSH terminal, but without Dell, you can't generate the key to putty your way into the live server...
Of course SELINUX could be turned on if you could simply run restorecon.. Not recommended to run with it disabled, but, the server is internal only..
This would be SO MUCH EASIER if we could just upload a bloody PFX/P12 file and be done with it!
I even ran a test. I loaded my CA certs. Then I did a user-generated signing from the server, signed the cert using my CA, and tried to load the PEM. Nada. Still barks about the private key and CA or something (the error in this thread).
I'll stick with this method for now until Dell gets their stuff together.
marbaa
2 Posts
0
November 3rd, 2022 07:00
Well, its end of 2022 and after 3 years there is still no support for ".,;-@#$%^&!*)(-+=<>?/:". Our company has dash in the name, our team has slash in the name. This is the first product I saw ever that it has such problems with certificates.
I gave up on getting green https icon in address bar for OpenManage.
McMac33
5 Posts
1
December 16th, 2022 01:00
I agree, this is very frustrating!
What ended up working for me was:
Had to use 2048 bit and not 4096 (otherwise the certificate would not work)
I did not use a wildcard SAN just ome.x.y.ca.
Ruchli
1 Message
0
December 13th, 2023 08:33
I was dealing with the same issue. In my case, I generate first a 4096 bits "Certificate Signing Request", copied the request code to our Microsoft PKI web interface and went through the wizard. At the end, I was able to download the certificate. My mistake was, that I downloaded the certificate in Microsoft default format, DER encoded instead of Base 64. As Base 64 encoded, the import at the Dell OpenManage Enterprise console worked fine.
sabel9579
1 Message
0
January 8th, 2024 18:05
Anyone know if this has been fixed yet. My company has an & in the name and I'm pretty sure this is why the cert wont import. Only application I have ever seen that has had this issue
DELL-Charles R
Moderator
Moderator
•
3.4K Posts
0
January 8th, 2024 18:57
Hello,
What is the OME version you are using?
I will have to check in to this.
Could you please private message me any service tag for a server you may be managing with OME for me to include on my escalation?