Skip to main content

Hub security certificates

Lenovo XClarity One Hub uses SSL certificates to establish secure, trusted communications between the hub and its managed devices, as well as communications with hub by users or with different services. By default, XClarity One Hub and the XClarity One portal use XClarity One-generated certificates that are self-signed and issued by an internal certificate authority.

Attention
Managing security certificates requires a basic understanding of the SSL standard and SSL certificates, including what they are and how to manage them. For general information about public key certificates, see X.509 webpage in Wikipedia and Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC5280) webpage.

The default server certificate, which is uniquely generated in every instance of XClarity One Hub provides sufficient security for many environments. You can choose to let XClarity One Hub manage certificates for you, or you can take a more active role by customizing and replacing the server certificates. XClarity One Hub provides options for customizing certificates for your environment. For example, you can choose to:

  • Generate a new pair of keys by regenerating the internal certificate authority and/or the end server certificate that uses values that are specific to your organization.

  • Generate a certificate signing request (CSR) that can be sent to your choice of certificate authorities to sign a custom certificate that can then be uploaded to the hub to be used as the end-server certificate for all its hosted services.

  • Download the server certificate to your local system so that you can import that certificate into your web browser's list of trusted certificates.

XClarity One Hub provides several services that accept incoming SSL/TLS connections. When a client, such as a web browser, connects to one of these services, the hub provides its server certificate to be identified by the client attempting the connection. The client should maintain a list of certificates that it trusts. If a hub server certificate is not included in the client’s list, the client disconnects from the hub to avoid exchanging any security-sensitive information with an untrusted source.

XClarity One Hub acts as a client when communicating with managed devices and external services. When this occurs, the managed device or external service provides its server certificate to be verified by the management hub. The hub maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device or external service is not listed, the hub disconnects from the managed device or external service to avoid exchanging any security sensitive information with an untrusted source.

Server certificate

During the initial boot, a unique key and self-signed certificate are generated. These are used as the default Root Certificate Authority, which can be managed on the Certificate Authority page in the XClarity One Hub security settings. It is not necessary to regenerate this root certificate unless the key has been compromised or if your organization has a policy that all certificates must be replaced periodically (see Regenerating the self-signed hub server certificate).

Also during the initial setup, a separate key is generated and a sever certificate is created and signed by the internal certificate authority. This certificate used as the default hub server certificate. It is automatically regenerated each time XClarity One Hub detects that its IP address, hostname or domain name have changed to ensure that the certificate contains the correct addresses for the server. It can be customized and generated on demand (see Regenerating the self-signed hub server certificate).

You can choose to use an externally-signed server certificate instead of the default self-signed server certificate by generating a certificate signing request (CSR), signing the CSR using an private or commercial root certificate authority, and then importing the full certificate chain into the hub (see Installing a trusted, externally-signed hub server certificate).

If you choose to use the default self-signed server certificate, it is recommended that you import the server certificate in your web browser as a trusted root authority to avoid certificate error messages in your browser (see Importing the hub server certificate into a web browser).

Device certificate chains

XClarity One Hub acts as a client when communicating with managed devices. When this occurs, the managed device provides its server certificate to be verified by the hub. The hub maintains a list of certificates that it trusts. If the trusted certificate that is provided by the managed device is not listed, the management hub disconnects from the managed device to avoid exchanging any security sensitive information with an untrusted source.

XClarity One Hub can communicate with devices using non-standard certificate configurations by importing custom certificate authorities (CAs) and intermediate CAs within the hub to allow the hub to trust the connection to those devices. The hub validates the combination of the intermediate CAs and the root CA to ensure the chain of trust.

Note

  • The CAs can use any of the following signature algorithms: RSA, RSASSA-PSS, EC/ECDSA, DSA, and Ed25519/Ed448

  • The intermediate CAs must be signed by the trusted root CA or other intermediate CA in the chain.

  • You cannot upload intermediate CAs without the root CA because the root CA is needed to establish trust.

To add certificate chains to the trust store, from the XClarity One Hub web interface, click Trust store from the context menu on the Security view, and click the Add icon (Add icon). Follow the steps in the wizard to complete the import.

To delete a certificate chain from the truststore, click Security from the context menu on the Trust store view, select the certificate, and click the Delete icon (Delete icon).

  • Regenerating the self-signed hub server certificate
    You can generate a new server certificate to replace the current self-signed Lenovo XClarity One Hub server certificate or to reinstate a hub-generated certificate if XClarity One Hub currently uses a customized externally-signed server certificate. The new self-signed server certificate is used by the hub for HTTPS access.
  • Installing a trusted, externally-signed hub server certificate
    You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.
  • Importing the hub server certificate into a web browser
    You can save a copy of the current server certificate, in PEM format, to your local system. You can then import the certificate into your web browser's list of trusted certificates or to other applications to avoid security warning messages from your web browser when you access Lenovo XClarity One Hub.