Deploying customized server certificates to Lenovo XClarity Administrator

You can choose to generate a certificate signing request (CSR) for signing by your organization’s certificate authority or a third-party certificate authority. The CSR creates a full certificate chain that you can import and use in place of the unique default internally signed certificates.

Before you begin

Ensure that the certificate details include following requirements.

Key Usage must contain
- Key Agreement
- Digital Signature
- Key Encipherment
Enhanced Key Usage must contain
- Server Authentication (1.3.6.1.5.5.7.3.1)
- Client Authentication (1.3.6.1.5.5.7.3.2)

About this task

Attention

If NIST SP 800-131A is enabled (see Implementing NIST SP 800-131A compliance) and you are using or plan to use custom or externally signed certificates in an NIST, all certificates in the chain must be based on SHA-256 hashing functions.

When the server certificate is uploaded, XClarity Administrator attempts to provision the new CA certificate to all managed devices. If the provisioning process succeeds, XClarity Administrator begins using the new server certificate immediately. If the process fails, error messages are provided that direct you to correct any problems manually before applying the newly imported server certificate. After the errors are corrected, complete the installation of the previously uploaded certificate.

Note

If XClarity Administrator was already using a certificate signed by the same root authority, the CA does not need to be sent to devices, and XClarity Administrator begins to use the certificate immediately.

After uploading a certificate in XClarity Administrator v3.6 and earlier, new sessions are established using the new certificate without terminating the existing session. To see the new certificate in the current session, restart your web browser.

For XClarity Administrator v4.0 and later, the web server restarts and automatically terminates all browser sessions. To continue working in XClarity Administrator, you must log in again.

Procedure

To generate and deploy a customized externally signed server certificate to Lenovo XClarity Administrator, complete the following steps.

Create and download a certificate signing request (CSR) for XClarity Administrator.
1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page
2. Click Server Certificate under the Certificate Management section to display the Server Certificate page.
3. Click the Generate Certificate Signing Request (CSR) tab.
4. Fill in the fields for the request.
  - Country or Region
  - State or Province
  - City or Locality
  - Organization
  - Organization Unit (optional)
  - Common Name
  Attention
  Select a common name that matches the IP address or hostname that XClarity Administrator uses to connect to the managed device. Failure to select the correct value might result in connections that are not trusted.
5. Optional: Customize, add, and delete subject alternative names in the X.509 subjectAltName extension when the CSR is generated. All subject alternative names that are listed in the table are validated, saved, and added to the CSR only after you generate the CSR in the next step.
  By default, XClarity Administrator automatically defines subject alternative names for the CSR based on the IP address and hostname that are discovered by the XClarity Administrator guest operating system's network interfaces.
  Attention
  The subject alternative names must include the fully-qualified domain name (FQDN) or IP address of the management server, and the subject name be set to the FQDN of the management server. Verify that these required fields are present and correct before beginning the CSR process to ensure that the resulting certificate is complete. Missing certificate data might result in connections that are not trusted when attempting to connect the XClarity Administrator instance to Lenovo XClarity Orchestrator.
  The name that you specify must be valid for the selected type.
  - directoryName (for example, cn=lxca-example,ou=dcg,dc=company,dc=com)
  - dNSName (for example, lxca-example.dcg.company.com)
  - ipAddress (for example, 192.0.2.0)
  - registeredID (for example, 1.2.3.4.55.6.5.99)
  - rfc822Name (for example, example@company.com)
  - uniformResourceIdentifier (for example, https://lxca-dev.dcg.company.com/example)
  Note
  All SANs that are listed in the table are validated, saved, and added to the CSR only after you generate the CSR in the next step.
6. Click Generate CSR File. The server certificate is displayed in the Certificate Signing Request dialog.
  Important
  Verify that the newly generated certificate contains the FQDN and IP address as part of the subject alternative names.
  If this XClarity Administrator instance is managed by XClarity Orchestrator, ensure that the generated certificated based on the CSR is configured to be used as both a server certificate and as a client certificate.
7. Click Save to File to save the server certificate to the host server.
Provide the CSR to a trusted certificate authority (CA). The CA signs the CSR and responds with a server certificate.
Upload the externally signed server certificate to XClarity Administrator. The certificate content must be a bundle containing the CA’s root certificate, any intermediate certificates, and the server certificate.
1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.
2. Click Server Certificate under the Certificate Management section.
3. Click the Upload Certificate tab.
4. Click Upload Certificate to display the Upload Certificate dialog.
5. Specify a certificate bundle file in PEM, DER or PKCS7 format, or paste the certificate bundle in PEM format.
6. Click Upload to upload the server certificate and store the certificate in the XClarity Administrator trust store.

Give documentation feedback