Skip to main content

SSL certificate handling

This topic provides information about the administration of certificates that can be used with the SSL security protocol.

The WEB, Redfish, and LDAP client use the same certificate configuration. SSL connection must be re-established whenever you wish to change the SSL certificate configuration. SSL can be used either with a self-signed certificate or with a certificate signed by a third party Certificate Authority. Using a self-signed certificate is the most straightforward method for using SSL, but at the cost of a small security risk. The risk arises because the SSL client has no way of validating the identity of the SSL server for the first connection attempted between the client and server. It is possible that a malicious third party could impersonate the server and intercept data flowing between the XClarity Controller and the browser. If (at the time of the initial connection between the browser and the XClarity Controller) the self-signed certificate is imported into the browser's certificate store, all future communications will be secure for that browser (assuming the initial connection was not compromised by an attack). After using the SSL Certificate Management page to generate a key pair and a self-signed certificate, SSL may be enabled.

For more complete security, use a certificate that is signed by a certificate authority (CA). To obtain a signed certificate:
  • Select Generate CSR (certificate signing request) from the Generate icon under SSL Certificate Management.
  • Fill in the required fields and select Generate.
  • After a self-signed certificate is generated, it will be shown in the SSL Certificate Management.
  • Select Download Certificate Signing Request (CSR) from the Download icon to download the signed certificate.
  • When the signed certificate is downloaded, select the Import Signed Certificate icon under CA Certificate Management to import it into the XClarity Controller.

The function of the CA is to verify the identity of the XClarity Controller. A certificate contains digital signatures for the CA and the BMC. If a well-known CA issues the certificate or if the CA's certificate has already been imported into the web browser, the browser will be able to validate the certificate and positively identify the BMC web server.

Note that SSL compares the XClarity Controller Host Name (or Common Name) in the certificate with the host name as seen by your web browser.