Skip to main content

Using XClarity Essentials OneCLI for certificate management

XClarity Essentials OneCLI manages Certificate Authority (CA) and Certificate Sign Request (CSR) files on BMC-based systems using the generate, import, export, and deletecert commands.

Before users can manage a certificate on BMC, to ensure that the corresponding certificate server is disabled, complete these steps:
  1. Verify that the BMC HTTPS Server Configuration for Web server is disabled using this command:
    OneCli.exe config show IMM.SSL_Server_Enable
  2. If the server is enabled, disable BMC HTTPS Server Configuration for Web Server using this command:
    OneCli.exe config set IMM.SSL_Server_Enable Disabled
    The BMC must be restarted before the selected value (enable / disable) takes effect. Use the command:
    onecli misc rebootbmc
  3. The BMC must be restarted before the selected value (enable / disable) takes effect. Use the command:
    onecli misc rebootbmc

    Before using SSL Client Certificate Management, disable SSL Client Configuration for the LDAP Client first:

    1. Verify that the SSL Client Configuration for LDAP Client is disabled using this command:
      OneCli.exe config show IMM.SSL_Client_Enable
    2. If the value is enabled, disable the BMC SSL Client Configuration for LDAP using this command:
      OneCli.exe config set IMM.SSL_Client_Enable Disabled

After completing the steps noted above, users can use XClarity Essentials OneCLI to manage certificates on BMC.

The following procedure provides an overview of how to use the XClarity Essentials OneCLI config application and commands to:
  • View the status of certificate setting
  • View the available commands for a setting
  • Generate a Certificate Sign Request (CSR)
  • Export a certificate sign request
  • Generate a self-signed certificate
  • Import a Certificate
  • Delete a certificate

Getting the status of the certificate setting

To view the status of a certificate setting, use this command:

OneCli.exe config show IMM.SSL_HTTPS_SERVER_CERT

An example of output:

IMM.SSL_HTTPS_SERVER_CERT=Private Key and CA-signed cert installed, Private Key stored, CSR available for download.

Getting the available command for the setting

To view the available commands for a certificate setting, use this command:

OneCli.exe config showvalues IMM.SSL_HTTPS_SERVER_CSR

An example of output:

IMM.SSL_HTTPS_SERVER_CSR=*generate=export

IMM.SSL_HTTPS_SERVER_CSR is supported by the generate and export commands.

Generating a Certificate Sign Request (CSR)

To generate a Certificate Sign Request (CSR), use this command

OneCli.exe config generate IMM.SSL_HTTPS_SERVER_CSR --file template.xml

An XML file, such as template.xml, is required for the generate command and for all settings which support generate, except SSH_SERVER_KEY. For more information about the template.xml, see Template files for generate certificates. "new_key_and_cert_sign_req_info" in the specified XML file is required to generate a CSR.

A certificate sign request must be signed by an independent certificate authority to be a certificate. Users can use the config application to generate a Self-signed Certificate.

Generating a self-signed certificate

Users can use the config application to generate a Self-signed Certificate. "new_key_and_self_signed_cert_info" in the specified XML file is required to generate a self-signed certificate. To generate a self-signed certificate, use this command:

OneCli.exe config generate IMM.SSL_HTTPS_SERVER_CERT --file template.xml

Exporting a certificate sign request

To export a certificate sign request, use this command:

config export IMM.SSL_HTTPS_SERVER_CSR --file tmp_csr.der

The tmp_csr.der file is saved in the current directory.

Users can export a certificate or certificate sign request. If a certificate sign request is signed by an independent certificate authority, it is a CA-signed certificate.

Importing a certificate

To import a certificate, after completing the export a certificate sign request step, using independent certificate authority, sign the request in the tmp_csr.der file. Users can only import the CA-signed certificate (which differs from the self-signed certificate) into the HTTPS Server Certificate Management.

The following two settings for SSL Client Certificate Management permit only CA-signed certificates to be imported:

  • SSL_LDAP_CLIENT_CERT

  • SSL_LDAP_CLIENT_CSR

These settings permit both self-signed and CA-signed certificates to be imported:

  • SSL_CLIENT_TRUSTED_CERT1

  • SSL_CLIENT_TRUSTED_CERT2

  • SSL_CLIENT_TRUSTED_CERT3

If a certificate already exists, it must be deleted before importing another certificate.

For more detailed information about how to use the config applications and commands for certificate management, refer to the individual command topics in this section.