Deploying customized server certificates to managed devices
You can deploy customized server certificates to managed devices by uploading and installing the externally-signed certificate bundle using the CMM and management controller for those devices.
Before you begin
Ensure that the latest firmware is installed on all managed devices (see Updating firmware on managed devices).
When generating a certificate signing request (CSR) for custom certificates, ensure that you select a common name that matches the IP address or hostname that is used to identify the device. Failure to select the correct value might result in connections that are not trusted.
Ensure that you obtain a certificate bundle that contains the entire signing chain, from the end-server certificate to the root (base) certificate of the trusted CA that can be used to verify the complete certificate chain of trust.
Do not change the Lenovo XClarity Administrator server certificate while a managed device is Offline.
You must repair the connection before modifying Lenovo XClarity Administrator, otherwise additional steps might be required to repair the connectivity issues (see Resolving an untrusted server certificate).
About this task
This section contains recommendations for ensuring continued successful communication between Lenovo XClarity Administrator and the managed devices. For detailed instructions about how to generate a CSR and import a signed certificate, see your device documentation.
If Lenovo XClarity Administrator is managing one or more chassis, rack servers, and tower servers, and the default Lenovo XClarity Administrator internally signed certificates are currently installed on Lenovo XClarity Administrator and the managed devices, you can deploy customized server certificate.
If the externally signed server certificate is installed on the device before the you attempt to manage the device by Lenovo XClarity Administrator, no additional steps are needed. To deploy a custom server certificate to devices that are managed under Lenovo XClarity Administrator management, you must perform one of the following steps to ensure continued connectivity between the management server and the managed devices.
Procedure
Complete one of the following options to deploy the customized externally signed server certificate to managed chassis or servers.
If Lenovo XClarity Administrator uses a certificate that is signed by the same certificate authority as the managed devices, perform the steps in Deploying customized server certificates to Lenovo XClarity Administrator before installing the certificates on managed devices. Installing the Lenovo XClarity Administrator certificate chain from the same CA first ensures that the certificate chain is in the Lenovo XClarity Administrator trust store and that Lenovo XClarity Administrator is able to trust the devices after the externally signed certificates are installed there.
Add the externally signed certificates in the CA signing chains to the Lenovo XClarity Administrator trust store.
You must add the CA root certificate and all intermediate certificates, one at a time, to the Lenovo XClarity Administrator trust store. The order does not matter. Each certificate must be installed once, so if all devices use the same CA and intermediate certificates, then the CA and each intermediate certificate must be installed in the Lenovo XClarity Administrator trust store one time. If more than one CA or an intermediate CA is used, ensure that each unique CA root certificate or intermediate certificate that is used in the signing chain of a managed device is imported the following these steps.
NoteDo not add the end, non-CA server certificates during these steps.Perform the following steps for each certificate in the bundle.
From the Lenovo XClarity Administrator menu bar, click to display the Security page.
Click Trusted certificates under Certificate Management in the left navigation.
Click the Create icon () to display the Add Certificate dialog.
Specify a certificate file in PEM or DER format, or paste the certificate in PEM format.
Click Create to create the certificate.
After the CA signing chain is installed, Lenovo XClarity Administrator trusts connections to CIM servers on the CMM and management controller on which the externally signed server certificate is installed.
Import the externally signed certificates into the managed devices.
NoteIf the necessary certificates are not present in theLenovo XClarity Administrator trust store, connectivity is lost between Lenovo XClarity Administrator and the managed device. Perform the steps in Resolving an untrusted server certificate to repair the connection. ImportantThis option involves temporary connectivity loss; therefore, one of the previous options is recommended.