Skip to main content

Installing a trusted, externally-signed XClarity Management Hub 2.0 server certificate

You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.

Considerations

Attention
  • If you install an externally-signed server certificate using a new root CA, the management hub loses its connection to the managed devices, and you must re-manage the devices. If you install an externally-signed server certificate without changing the root CA (for example, when the certificate is expired), there is no need to re-manage the devices.

  • If new devices are added after the CSR is generated and before the signed server certificate is imported, those devices must be restarted to receive the new server certificate.

As a best practice, always use v3 signed certificates.

The externally-signed server certificate must be created from the certificate signing request that was most recently generated for the management hub.

The externally-signed server certificate content must be a certificate bundle that contains the entire CA signing chain, including the CA’s root certificate, any intermediate certificates, and the server certificate.

If the new server certificate was not signed by a trusted third party, the next time that you connect to XClarity Management Hub 2.0, your web browser displays a security message and dialog prompting you to accept the new certificate into the browser. To avoid the security messages, you can import the server certificate into your web browser's list of trusted certificates (see Importing the XClarity Management Hub 2.0 server certificate into a web browser).

The web browser is refreshed automatically to accept the new certificate.

Installing a trusted, externally-signed server certificate

To generate and install an externally-signed server certificate, complete the following steps.

  1. Create a certificate signing request and save the file to your local system.

    1. Click Certificates from the context menu on the Security view.

    2. In the Generate Certificate Signing Request (CSR) panel, provide values in each field, and then click Generate CSR File.

      • Organization is typically the legally incorporated name of the company that owns the certificate. Include suffixes, such as Ltd., Inc., or Corp (for example, ACME International Ltd.).

      • Organization unit is the division in the company that owns the certificate (for example, ABC Division).

      • Common name is typically the fully-qualified domain name (FQDN) or IP address of the server that uses the certificate (for example, www.domainname.com or 192.0.2.0). The length of this value cannot exceed 63 characters.

      • You can customize the subject alternative names in the X.509 "subjectAltName" extension in the resulting CSR. If you provide one or more subject alternative names in the CSR, only the subject alternative names that you provided are stored in the CSR. You can provide subject alternative names for the following types. Ensure that the names that you specify are valid for the selected type. The specified subject alternative names are validated (based on the specified type) and added to the CSR only after you generate the CSR.

        • DNS (use the hostname or FQDN, for example, hostname.labs.company.com)
        • IP address (for example, 192.0.2.0)
        • email (for example, example@company.com)
        If no subject alternative names are provided, the default names and type from the management hub are used.
        • IP Address. Current management-hub IP address

        • DNS Name. Management-hub hostname

        • DNS Name. Management-hub FQDN, if the domain name is provided. Otherwise, this is empty.

        Attention
        The subject alternative names must include the hostname or fully-qualified domain name (FQDN), and IP address of the management hub, and the subject name be set to the hostname or FQDN of the management hub. Verify that these required fields are present and correct before beginning the CSR process to ensure that the resulting certificate is complete. Missing certificate data might result in connections that are not trusted when attempting to connect the management hub to Lenovo XClarity Orchestrator.
      Important
      • Before continuing, verify that the newly generated certificate contains the FQDN and IP address as part of the subject alternative names.

      • Ensure that the newly generated certificate is configured to be used as both a server certificate and as a client certificate.

  2. Provide the CSR to a trusted certificate authority (CA). The CA signs the CSR and returns a server certificate.

    Attention
    All subject alternative names that are stored in the CSR must be used for signing the CSR and generating the web certificate.
  3. Import the externally-signed server certificate and the CA certificate to XClarity Management Hub 2.0 to replace the current server certificate.

    1. In the Certificate signing request (CSR) panel, click Import certificate to display the Import certificate dialog.

    2. Insert the externally-signed server certificate, in PEM format. You must provide the entire certificate chain, beginning with the server certificate and ending in the root CA certificate.

    3. Click Import to store the server certificate in the management-hub trust store.

      Attention
      The subject alternative names that are stored in the CSR on the management hub must exactly match the subject alternative names stored in the server certificate being imported. If there is a mismatch (for example, if the IP address from the CSR/signed certificate is not the same with the one from the management hub), the importing and installing the server certificate will succeed, but might result in connections that are not trusted (such being unable to access the user interface).