Issue
Working with self-signed and CA authority signed SSL certificates for the StruxureWare Data Center Expert appliance.
Product Line
StruxureWare Data Center Expert (DCE)
- Standard Appliance (AP9470)
- Enterprise Appliance (AP9475)
- Virtual Appliance (AP94VMACT)
StruxureWare Central (SWC)
InfraStruXure Central (ISXC)
Environment
StruxureWare Data Center Expert (all versions)
StruxureWare Central (all versions)
InfraStruXure Central (all versions)
Resolution
Viewing Current SSL Certificate Information
Self-Signed Certificates
CA Signed Certificates (Internal CA or 3rd-Party)
NOTE: You must be logged into the Data Center Expert desktop client as a user with Server Administrator privileges to be able to manage server web certificates. DCIM Support can only verify there are no issues with the protocol in Data Center Expert, and recommend consulting your Active Directory Administrators.
Data Center Expert | Tips for configuring Active Directory integration
Viewing Current SSL Certificate Information
DCE Desktop Client > System menu > Server Administration Settings > Server Access > Web Server tab.
- If the certificate is issued by a CA Authority other than Schneider Electric, the certificate will have different Issued By information.
Working With Self-Signed Certificates
When Data Center Expert is deployed, the appliance utilizes a self-signed certificate. Note: You may need to generate a new self-signed certificate to come up to 2048-bit encryption, if you upgraded from an older version before 2048-bit was the default.
Generating a New Self-Signed Certificate
1) Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate.
2) Select Create new Self-Signed Certificate.
3) Edit the certificate parameters as needed, and click Next.
4) Click Finish to overwrite the default (or current) SSL certificate with a new, self-signed SSL certificate created by the server. You can log on to the server again after it finishes rebooting.
Create a Certificate Signing Request (CSR) to Send to a Certificate Signing Authority (CA)
1) Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate.
2) Select Create Certificate Signing Request (CSR) and clickNext.
3) Edit the certificate parameters as needed and click Next.
Note: It is recommended to fill in all fields as some CA Authorities require all fields to process the CSR signing.
4) Copy the provided CSR text to a text file.
Note: Another CSR should not be created before a signed CSR is received back and Imported. Creating another CSR will generate a new private-key which will invalidate all previous CSRs.
5) Submit the CSR to your desired CA Authority (3rd-party or internal) for signing. You will receive back a signed SSL certificate, which may include a certificate chain (root cert, intermediary certificates, & signed SSL certificate for DCE)
Verifying the Certificate Format is Correct
1) Open the certificate in a plain-text notepad editor.
2a) If the file begins with "-----BEGIN CERTIFICATE-----", it is in the proper base-64 encoded format. Proceed to the determining if there is a certificate chain section below.
2b) If the file does not being with "-----BEGIN CERTIFICATE-----", then the file is in an unsupported DER binary format and needs to be converted.
3) Double-click on the certificate within Windows Explorer. This should launch a certificate details screen.
4) Go to the Details tab and click the Copy to File... button, then click Next.
5) Select Base-64 encoded X.509 (.CER) and click Next.
6) Click Browse... and provide the location and a name for the certificate file then click Save.
7) Click Next and then Finish. The certificate should now be saved in the location you provided with the name you provided, and be in the correct format for import. Proceed below to determining if you have a certificate chain.
Determining if a Certificate Chain is being used
1) Open the provided SSL Certificate (base-64 encoded format) in a notepad editor.
2) If there is only ONE section that has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" skip to step X.
3) Go to System menu > Server Administration Settings > Server SSL Certificates.
4) Import all certificates from the certificate chain EXCEPT the first one, which should be the signed SSL certificate intended for the server itself. Click on Add... and paste in the Second section including the opening tag "-----BEGIN CERTIFICATE-----" and closing tag "-----END CERTIFICATE-----". Click Add.
Note: You can not import multiple certificates at once into the Server SSL Certificates Screen and must follow the steps above for each of the remaining certificates (excluding the first one).
Adding the Signed Server SSL Certificate into DCE
1) Go to System > Server Administration Settings > Server Access. On the Web Server tab, click Modify Certificate.
2) Select Add Certificate and clickNext.
3) Use Ctrl+V to paste a copy of the certificate in the text box. If there was only ONE certificate as determined above, you can use the Import Certificate to import the certificate from its text file, and click Next.
4) Click Finish to overwrite the current SSL certificate with the new SSL certificate. You can log on to the server again after it finishes rebooting.
