Configure Third Party Certificate for UCS Central

Available Languages

Download Options

  • PDF     (794.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (629.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (875.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 20, 2024
Document ID:221913

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the best practice to configure a third-party certificate in Cisco Unified Computing System Central Software (UCS Central).

    Prerequisites

    Requirements

    Cisco recommends knowledge of these topics:

    • Cisco UCS Central
    • Certificate Authority (CA)
    • OpenSSL

    Components Used

    The information in this document is based on these software and hardware versions:

    • UCS Central 2.0(1q)
    • Microsoft Active Directory Certificate Services
    • Windows 11 Pro N
    • OpenSSL 3.1.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Download the Certificate Chain from the Certificate Authority.

    1. Download the certificate chain from the Certificate Authority (CA).

    Download a Certificate Chain from CADownload a certificate chain from CA

    2. Set the encoding to Base 64 and download the CA certificate chain.

    Set the Encoding to Base 64 and Download the CA Certificate ChainSet the encoding to Base 64 and download the CA certificate chain

    3. Note that the CA certificate chain is in PB7 format.

    Certificate is in PB7 FormatCertificate is in PB7 format

    4. The certificate has to be converted to PEM format with OpenSSL tool. To check if Open SSL is installed in Windows use the command openssl version

    Check if OpenSSL is InstalledCheck if OpenSSL is installed

    Note:OpenSSL installation is out of the scope of this article.

    5.If OpenSSL is installed, run the command openssl pkcs7 -print_certs -in <cert_name>.p7b -out <cert_name>.pem to perform the conversion. Make sure to use the path were the certificate is saved.

    Convert the P7B Certificate to PEM FormatConvert the P7B certificate to PEM format

    Create the Trusted Point

    1. Click System Configuration icon > System Profile > Trusted Points.  

    UCS Central System ProfileUCS Central System ProfileUCS Central Trusted PointsUCS Central Trusted Points

    2. Click the + (plus) icon to add a new Trusted Point. Write a name and paste in the contents of the PEM certificate. Click Save to apply the changes.

    Copy the Certificate ChainCopy the certificate chain

    Creating Key Ring and CSR

    1. Click System Configuration icon > System Profile > Certificates.

    UCS Central System ProfileUCS Central System ProfileUCS Central CertificatesUCS Central Certificates

    2. Click the plus icon to add a new Key Ring. Write a name, leave the modulus with the default value (or modify if needed) and select the Trusted Point created before. After setting those parameters move to Certificate Request.

    Create a New Key RingCreate a new Key Ring

    3. Enter the necessary values to request a certificate and click Save.

    Enter the Details to Generate a CertificateEnter the details to generate a certificate

    4. Go back to the Key ring created and copy the certificate generated.

    Copy the Certificate GeneratedCopy the certificate generated

    5. Go to the CA and request a certificate.

    Request a Certificate from CARequest a certificate from CA

    6. Paste the certificate generated in UCS Central and in the CA select the Web Server and Client template. Click Submit to generate the certificate.

    Note: When generating a certificate request in Cisco UCS Central, ensure the resulting certificate includes SSL Client and Server Authentication key usages. If using a Microsoft Windows Enterprise CA, utilize the Computer template, or another appropriate template that includes both key usages, if the Computer template is unavailable.

    Generate a Certificate to use in the Key Ring createdGenerate a certificate to use in the Key ring created

    7. Convert the new certificate to PEM using the command openssl pkcs7 -print_certs -in <cert_name>.p7b -out <cert_name>.pem.

    8. Copy the contents of the PEM certificate and go to the Key ring created to paste the contents. Select the Trusted Point created and save the configuration.

    Paste the Certificate Requested in the Key RingPaste the certificate requested in the key ring

    Apply the Key Ring

    1. Navigate to System Profile > Remote Access > Keyring, select the Key ring created, and click Save. UCS Central closes the current session.

    Select the Key Ring CreatedSelect the key ring created

    Validation

    1. Wait until UCS Central is accessible and click in the lock next to https://. The site is secure.

    UCS Central is SecureUCS Central is secure

    Troubleshooting

    Check if certificate generated includes SSL Client and Server Authentication key usages.

    When the certificate requested to CA does not include the SSL Client and Server Authentication key usages an error saying "Invalid certificate. This certificate cannot be used for TLS server authentication, check key usage extensions" appears.

    Error about TLS Server Authorization KeysError about TLS Server Authorization Keys

    To verify if the certificate in PEM format created from the template selected in the CA has the correct Server Authentication key usages you can use the command openssl x509 -in <my_cert>.pem -text -noout. You must see Web Server Authentication and Web Client Authentication under the Extended Key Usage section.

    Web Server and Web Client Authorization Key in certificate requestedWeb Server and Web Client Authorization Key in certificate requested

    UCS Central is still flagged as an insecure site.

    Sometimes after configuring the Third Party Certificate the connection is still flagged by the browser.

    UCS Central is Still a Unsecure SiteUCS Central is a unsecure site still

    To verify if the certificate is being applied correctly, ensure the device trust the Certificate Authority.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    20-Apr-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Leonardo Jair Rosales Gonzalez
      Cisco Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products