Topic: Avocent UMG: A Quick Guide - Self-Signed SSL Certificate for HTTPS This quick guide, designed for the Avocent Universal Management Gateway (UMG) Series, describes how to use generate a CSR and Private Key file to submit to a Certificate Authority (CA), and install a Certificate (.p12) on the Avocent UMG. It also provides information about how to install a Self-Signed Certificate to secure HTTPS connection and validate at the client-side PC, which you would ensure it is a correct identity. Figure 1: Replacing the Default UMG Root Certificate Figure 2: Import Third Party Certificate: Issuer and Certificate Equipment: Avocent Universal Management Gateway (UMG) Series installed firmware version 2.0.x or higher Linux machine installed OpenSSL 1.0.1e-fips (Feb 11, 2013) with 1.0.1e-30 package (Source: http://www.openssl.org ) Certificate Authority (CA) such as Microsoft Active Directory Certificate Services Instruction: Step 1: Generate a Certificate Signing Request ( CSR ) and Private Key file Open a SSH connection to a Linux machine installed OpenSSL as a root previlege account. Do the following commands to generate two (2) files - CSR and Private Key file. [root@sun-redhat ~]# openssl OpenSSL> req -new -nodes -keyout private.key -out public.csr Generating a 1024 bit RSA private key .........++++++ .........++++++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Florida Locality Name (eg, city) [Newbury]: Sunrise Organization Name (eg, company) [My Company Ltd]: Technical Operation Center Organizational Unit Name (eg, section) []: Emerson Network Power Common Name (eg, your name or your server's hostname) []: UMG-TSLab.asc.local Email Address []: TechSupport@Avocent.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ******** An optional company name []: ********* OpenSSL> exit IMPORTANT NOTE: The Common Name in this example is using a FQDN, please ensure the DNS Server is able to resolve it. Notice that the private.key and public.csr have been generated. Step 2: Submit a Request to a Certificate Authority (CA) 2.1 : Submit a Request For this example, we are submitting to a Microsoft Active Directory Certificate Services Web Portal. Open a Certificate Request Web Portal with your browser Note : Please contact your System Engineer/ System Administrator for this information. Select a Request a Certificate from a task list Click Advance Certificate Request Click the hyperlink Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Open the public.csr file (obtained from Step 1) with a Text Editor to copy only the TEXT content. In the Saved Request Text Field, paste the TEXT content here. Note : Make sure that there is no extra space/ line at the end. Click Submit button Note: Your certificate request has been received. However, you must wait for your System Administrator to issue the certificate you have requested. 2.2 : Download an Approved Certificate For this example, we are downloading from a Microsoft Active Directory Certificate Services Web Portal. Figure 3: Download approved certificate At the homepage of the Microsoft Active Directory Certificate Services Web Portal, click View the Status of a pending certificate request . If the certificate has been issued, you would see the Saved-Request Certificate (Data-Month-Time) link ready to download certificate(s). Click to download. For this example, we are selecting the DER encoded and download the .cer and . p7b file. Save the certnew.cer and certnew.p7b on your local hard drive. Note: This file contains Issued to , Issued by , Valid from/to , Public key , Thumbprint algorithm , and more. Step 3: Convert PKCS#7 (p7b) to PKCS#12 (p12) certificate for the Avocent UMG Appliance [root@sun-redhat ~]# openssl pkcs7 -in certnew.p7b -inform DER -out convertnewcert.pem -print_certs or [root@sun-redhat ~]# openssl x509 -in certnew.cer -inform DER -out convertnewcert.pem If you are using 64 BASE encoded certificate, [root@sun-redhat ~]# openssl pkcs7 -in certnew_64.p7b -inform PEM -out convertnewcert.pem -print_certs or [root@sun-redhat ~]# openssl x509 -in certnew_64.cer -inform PEM -out convertnewcert.pem Then, using a PEM certificate and private key to create NEW PKCS #12 certificate [root@sun-redhat ~]# openssl pkcs12 -export -inkey private.key -in convertnewcert.pem -name Emerson -out newcert4UMG.p12 [root@sun-redhat ~]# Enter Export Password: ******** Verifying - Enter Export Password: ******** Step 4: Install/ Import the Certificate on the Avocent Universal Management Gateway (UMG) To import a third-party certificate to Avocent UMG: From the side navigation bar, click Security . Under Third Party Certificate Import , enter and confirm the Certificate and key passphrase. Click Import . Browse to the certificate (.p12) file location and click Open . Click OK to confirm the correct format. Figure 4: Import Certificate supports only PKCS12 Format. Click Apply. Once the Certificate Import Success, click OK and Reboot the UMG appliance. Figure 5: Third Party Certificate Import Success Step 5: Install/ Import the Certificate on the client PC (for first time) using Internet Explorer (IE) Browser Login the Avocent UMG with FQDN , which is used when creating the CSR. Click Certificate Error Warring Icon to install a New Ceritificate (Figure 6). Click Install Certificate and place it in Trusted Root Certification Authorities (Figure 7). Accept/ Confirm the Security Warning Dialog (Figure 8). Close all browsers and re-open with the FQDN address. Note that the Certificate Error Warning is displayed as a Secured Lock icon ( Figure 9 ) . Click the Secured Lock Icon to review the Certificate Information (Figure 10). Figure 6: First-time, View and Install Certificate Figure 7: Install in Trusted Root Certification Authorities Figure 8: Validation for IE Figure 9: Validation: Certificate Status, both Issuer and Certificate are valid. Figure 10: Secured Connection I hope it helps to configure a Self-Signed SSL Certificate for Avocent UMG HTTPS Connection. Charkkrit Wattananusit
↧