Deploying customized server certificates to Lenovo XClarity Administrator

You can choose to generate a certificate signing request (CSR) for signing by your organization’s certificate authority or a third-party certificate authority. The CSR creates a full certificate chain that you can import and use in place of the unique default internally signed certificates.

About this task

Attention: If NIST SP 800-131A is enabled (see Implementing NIST SP 800-131A compliance) and you are using or plan to use custom or externally signed certificates in an NIST, all certificates in the chain must be based on SHA-256 hashing functions.

When the server certificate is uploaded, XClarity Administrator attempts to provision the new CA certificate to all managed devices. If the provisioning process succeeds, XClarity Administrator begins using the new server certificate immediately. If the process fails, error messages are provided that direct you to correct any problems manually before applying the newly imported server certificate. After the errors are corrected, complete the installation of the previously uploaded certificate.

Note: If XClarity Administrator was already using a certificate signed by the same root authority, the CA does not need to be sent to devices, and XClarity Administrator begins to use the certificate immediately.

After uploading a certificate in XClarity Administrator v1.1.0 and earlier, the web server restarted and automatically terminated all browser sessions. XClarity Administrator v1.1.1 and later begin using the new certificate without terminating existing sessions. Any new sessions are established using the new certificate. To see the new certificate in use, restart your web browser.

Procedure

To generate and deploy a customized externally signed server certificate to Lenovo XClarity Administrator, complete the following steps.

  1. Create and download a certificate signing request (CSR) for XClarity Administrator.
    1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page
    2. Click Server Certificate under the Certificate Management section to display the Server Certificate page.
    3. Click the Generate Certificate Signing Request (CSR) tab.
    4. Fill in the fields for the request.
      • Country or Region

      • State or Province

      • City or Locality

      • Organization

      • Organization Unit (optional)

      • Common Name

      Attention: Select a common name that matches the IP address or hostname that XClarity Administrator uses to connect to the managed device. Failure to select the correct value might result in connections that are not trusted.
    5. Optional: Customize the Subject Alternative Names (SANs) that are added to the X.509 subjectAltName extension when the CSR is generated.

      By default, XClarity Administrator automatically defines Subject Alternative Names (SANs) for the CSR based on the IP address and hostname that are discovered by the XClarity Administrator guest operating system's network interfaces. You can customize, delete, or add to these SAN values.

      The name that you specify must be valid for the selected type:

      • directoryName (for example, cn=lxca-example,ou=dcg,dc=company,dc=com)

      • dNSName (for example, lxca-example.dcg.company.com)

      • ipAddress (for example, 192.0.2.0)

      • registeredID (for example, 1.2.3.4.55.6.5.99)

      • rfc822Name (for example, example@company.com)

      • uniformResourceIdentifier (for example, https://lxca-dev.dcg.company.com/example)

      Note: All SANs that are listed in the table are validated, saved, and added to the CSR only after you generate the CSR in the next step.
    6. Click Generate CSR File. The server certificate is displayed in the Certificate Signing Request dialog.
    7. Click Save to File to save the server certificate to the host server.
  2. Provide the CSR to a trusted certificate authority (CA). The CA signs the CSR and responds with a server certificate.
  3. Upload the externally signed server certificate to XClarity Administrator. The certificate content must be a bundle containing the CA’s root certificate, any intermediate certificates, and the server certificate.
    1. From the XClarity Administrator menu bar, click Administration > Security to display the Security page.
    2. Click Server Certificate under the Certificate Management section.
    3. Click the Upload Certificate tab.
    4. Click Upload Certificate to display the Upload Certificate dialog.
    5. Specify a certificate bundle file in PEM, DER or PKCS7 format, or paste the certificate bundle in PEM format.
    6. Click Upload to upload the server certificate and store the certificate in the XClarity Administrator trust store.