Skip to main content

Client Certificate Management

This topic provides information about client certificate management.

Client certificates are classified as one of the following:
  • An XClarity Controller self-assigned certificate.
  • A certificate generated from an XClarity Controller certificate signing request (CSR) and signed (externally) by a third party CA.
A client certificate is required for communication with the SKLM server. The client certificate contains digital signatures for the CA and the XClarity Controller.
Note
  • Certificates are preserved across firmware updates.
  • If a client certificate is not created for communication with the SKLM server, the XClarity Controller HTTPS server certificate is used.
  • The function of the CA is to verify the identity of the XClarity Controller.
To create a client certificate, click the plus icon () and select one of the following items:
  • Generate a New Key and a Self-Signed Certificate
  • Generate a New Key and a Certificate Signing Request (CSR)
The Generate a New Key and a Self-Signed Certificate action item generates a new encryption key and a self-signed certificate. In the Generate New Key and Self-Signed Certificate window, type or select the information in the required fields and any optional fields that apply to your configuration, (see the following table). Click OK to generate your encryption key and certificate. A progress window displays while the self-signed certificate is being generated. A confirmation window is displayed when the certificate is successfully installed.
Note
The new encryption key and certificate replace any existing key and certificate.
Table 1. Generate a New Key and a Self-Signed Certificate.

Two column table with headers documenting the required and optional fields for the Generate a new key and a self-signed certificate action. The bottom row spans across both columns.

FieldDescription
Country1From the list item, select the country where the BMC physically resides.
State or Providence1Type the state or providence where the BMC physically resides.
City or Locality1Type the city or locality where the BMC physically resides.
Organization Name1Type the company or organization name that owns the BMC.
BMC Host Name1Type the BMC host name that appears in the web address bar.
Contact PersonType the name of the contact person that is responsible for the BMC.
Email addressType the email address of the contact person responsible for the BMC.
Organization UnitType the unit within the company that owns the BMC.
SurnameType the surname of the person responsible for the BMC. This field can contain a maximum of 60 characters.
Given NameType the given name of the person responsible for the BMC. This field can contain a maximum of 60 characters.
InitialsType the initials of the person responsible for the BMC. This field can contain a maximum of 20 characters.
DN QualifierType the Distinguished Name Qualifier for the BMC. This field can contain a maximum of 60 characters.
  1. This is a required field.

After the client certificate has been generated you can download the certificate to storage on your XClarity Controller by selecting the Download Certificate action item.

The Generate a New Key and a Certificate Signing Request (CSR) action item generates a new encryption key and a CSR. In the Generate a New Key and a Certificate Signing Request window, type or select the information in the required fields and any optional fields that apply to your configuration, (see the following table). Click OK to generate your new encryption key and CSR.

A progress window displays while the CSR is being generated and a confirmation window is displayed upon successful completion. After generation of the CSR, you must send the CSR to a CA for digital signing. Select the Download Certificate Signing Request (CSR) action item and click OK to save the CSR to your server. You can then submit the CSR to your CA for signing.

Table 2. Generate a New Key and a Certificate Signing Request.

Two column table with headers documenting the required and optional fields for the Generate a new key and certificate signing request action. The bottom row spans across both columns.

FieldDescription
Country1From the list item, select the country where the BMC physically resides.
State or Providence1Type the state or providence where the BMC physically resides.
City or Locality1Type the city or locality where the BMC physically resides.
Organization Name1Type the company or organization name that owns the BMC.
BMC Host Name1Type the BMC host name that appears in the web address bar.
Contact PersonType the name of the contact person that is responsible for the BMC.
Email addressType the email address of the contact person responsible for the BMC.
Organization UnitType the unit within the company that owns the BMC.
SurnameType the surname of the person responsible for the BMC. This field can contain a maximum of 60 characters.
Given NameType the given name of the person responsible for the BMC. This field can contain a maximum of 60 characters.
InitialsType the initials of the person responsible for the BMC. This field can contain a maximum of 20 characters.
DN QualifierType the Distinguished Name Qualifier for the BMC. This field can contain a maximum of 60 characters.
Challenge PasswordType the password to the CSR. This field can contain a maximum of 30 characters.
Unstructured NameType additional information, such as an unstructured name that is assigned to the BMC. This field can contain a maximum of 60 characters.
  1. This is a required field.

The CSR is digitally signed by the CA using the user's certificate processing tool, such as the OpenSSL or Certutil command line tool. All client certificates that are signed using the user's certificate processing tool have the same base certificate. This base certificate must also be imported to the SKLM server so that all servers digitally signed by the user are accepted by the SKLM server.

After the certificate has been signed by the CA you must import it into the BMC. Select the Import a Signed Certificate action item and select the file to upload as the client certificate; then, click OK. A progress window displays while the CA-signed certificate is being uploaded. A Certificate Upload window is displayed if the upload process is successful. A Certificate Upload Error window is displayed if the upload process is not successful.
Note
  • For increased security, use a certificate that is digitally signed by a CA.
  • The certificate that is imported into the XClarity Controller must correspond to the CSR that was previously generated.

After a CA-signed certificate is imported into the BMC, select the Download Certificate action item. When you select this action item, the CA-signed certificate is downloaded from the XClarity Controller to store on your system.