Deploying customized server certificates to managed devices

About this task

This section contains recommendations for ensuring continued successful communication between Lenovo XClarity Administrator and the managed devices. For detailed instructions about how to generate a CSR and import a signed certificate, see your device documentation.

If Lenovo XClarity Administrator is managing one or more chassis, rack servers, and tower servers, and the default Lenovo XClarity Administrator internally signed certificates are currently installed on Lenovo XClarity Administrator and the managed devices, you can deploy customized server certificate.

If the externally signed server certificate is installed on the device before the you attempt to manage the device by Lenovo XClarity Administrator, no additional steps are needed. To deploy a custom server certificate to devices that are managed under Lenovo XClarity Administrator management, you must perform one of the following steps to ensure continued connectivity between the management server and the managed devices.

Procedure

Complete one of the following options to deploy the customized externally signed server certificate to managed chassis or servers.

• If Lenovo XClarity Administrator uses a certificate that is signed by the same certificate authority as the managed devices, perform the steps in Deploying customized server certificates to Lenovo XClarity Administrator before installing the certificates on managed devices. Installing the Lenovo XClarity Administrator certificate chain from the same CA first ensures that the certificate chain is in the Lenovo XClarity Administrator trust store and that Lenovo XClarity Administrator is able to trust the devices after the externally signed certificates are installed there.

• Add the externally signed certificates in the CA signing chains to the Lenovo XClarity Administrator trust store.

  You must add the CA root certificate and all intermediate certificates, one at a time, to the Lenovo XClarity Administrator trust store. The order does not matter. Each certificate must be installed once, so if all devices use the same CA and intermediate certificates, then the CA and each intermediate certificate must be installed in the Lenovo XClarity Administrator trust store one time. If more than one CA or an intermediate CA is used, ensure that each unique CA root certificate or intermediate certificate that is used in the signing chain of a managed device is imported the following these steps.

  Note

  Do not add the end, non-CA server certificates during these steps.

  Perform the following steps for each certificate in the bundle.

  1. From the Lenovo XClarity Administrator menu bar, click Administration > Security to display the Security page.

  2. Click Trusted certificates under Certificate Management in the left navigation.

  3. Click the Create icon () to display the Add Certificate dialog.

  4. Specify a certificate file in PEM or DER format, or paste the certificate in PEM format.

  5. Click Create to create the certificate.

  After the CA signing chain is installed, Lenovo XClarity Administrator trusts connections to CIM servers on the CMM and management controller on which the externally signed server certificate is installed.

• Import the externally signed certificates into the managed devices.

  Note

  If the necessary certificates are not present in the Lenovo XClarity Administrator trust store, connectivity is lost between Lenovo XClarity Administrator and the managed device. Perform the steps in Resolving an untrusted server certificate to repair the connection.
  Important

  This option involves temporary connectivity loss; therefore, one of the previous options is recommended.