Skip to main content

Installing a customized, externally signed server certificate

You can choose to use a server certificate that was signed by a private or commercial certificate authority (CA).

Before you begin

Ensure that the Root Certificate Authority is one that is generated by your organization and used to sign certificates within that organization or one that a commonly trusted and world-known (see List of Trusted Certifying Authorities webpage).

Ensure that the algorithms for the keys and signatures of the Root CA cert are supported. Only RSA-3072/SHA-384 and RSA-2048/SHA-256 signatures are supported. RSA-PSS signatures are not supported at this time.

Ensure that all managed devices have the latest firmware installed before starting any task that might impact connections between the managed devices. To upgrade firmware on managed devices, see Updating firmware on managed devices.

Ensure that XClarity Administrator is successfully communicating with all managed devices by clicking Hardware and then clicking the device type (Chassis or Server). A page is displayed with a tabular view of all managed devices of that type. If any device has a status of Offline, ensure that network connectivity is working between the management server and the device, and resolve untrusted server certificates if needed (see Resolving an untrusted server certificate).

About this task

When you install a customized, externally-signed server certificate in XClarity Administrator or a baseboard management-controller or CMM, you must provide the certificate bundle that contains the entire CA signing chain.

When you install a customized server certificate in a chassis or server that is not managed by XClarity Administrator, install the certificate bundle on the CMM before installing it on all management controllers in the CMM.

When you install a customized server certificate to a managed chassis, you first add the CA signing chain to the XClarity Administrator trust store, install the server certificate on every management controller and CMM, and then upload the server certificate to XClarity Administrator. Note that this can easily be bypassed by trusting/adding all Root CA Certificates but not every certificate chain from every managed device. The number of imported certificates should be equal to the number of Root CA certificates (Root CA certificates + all intermediary CA certificates). For more information, see Deploying customized server certificates to managed devices.

You must add the CA root certificate and all intermediate certificates, one at a time, to the XClarity Administrator trust store. The order does not matter. Each certificate must be installed once, so if all devices use the same CA and intermediate certificates, then the CA and each intermediate certificate must be installed in the XClarity Administrator trust store one time. If more than one CA or an intermediate CA is used, ensure that each unique CA root certificate or intermediate certificate that is used in the signing chain of a managed device is imported the following these steps.

Tip
If the new server certificate has not been signed by a trusted third party, the next time that you connect to XClarity Administrator, your browser displays a security message and dialog prompting you to accept the new certificate into the browser. To avoid the security messages, you can import a downloaded server certificate into your web browser's list of trusted certificates. For more information about importing server certificates, see Importing the Certificate Authority certificate into a web browser.