Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2062526.1
Update Date:2017-10-05
Keywords:
Solution Type  Technical Instruction Sure

Solution  2062526.1 :   Use of intermediate SSL certificates with ILOM 3.x  

Related Items 
    

  • SPARC T4-1
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>SPARC>CMT>SN-SPARC: T4
    •  






In this Document


Goal


Solution


References

Created from <SR 3-11080637111>


Applies to:  

SPARC T4-1 - Version All Versions and later
Information in this document applies to any platform.



Goal


Customer is using a custom SSL (Secure Socket Layer) key and SSL (Secure Socket Layer) certificate. The custom SSL key and SSL certificate are loaded in the ILOM (Integrated Lights Out Manager), but browsers are still displaying a message "Certificate Not Trusted".


The received SSL-certificate is signed by an intermediate CA (Certificate Authority).


The question is how to configure/install a "SSL Certificate Chain File" in addition to the custom SSL key and SSL certificate.


Solution


The SSL Certificate Chains are not configured separately, the SSL certificate and SSL Chain needs to be in a single file (the SSL Chain file needs to be added to end of the SSL certificate file) and uploaded to the ILOM. As example:


- files
  - Certificate authority file: cafile = cacert.pem
  - Client certificate file   : cert   = mycert.pem
  - Private key file          : key    = mycert.key
- add cafile to the end of the cert file
  # cat mycert.pem cacert.pem > cert_chain.pem
- files
  - Certificate chain file    : Chain  = cert_chain.pem
- load custom key and certificate in the ILOM (via cli or bui)
  - example (for ilom 3.2)
    - cli
      -> set /SP/services/https/ssl/custom_cert load_uri=[tftp|ftp|scp]://<ip-address/directory/filename>, filename = cert_chain.pem
      -> set /SP/services/https/ssl/custom_key  load_uri=[tftp|ftp|scp]://<ip-address/directory/filename>, filename = mycert.key
    - bui
      - administration
        - management access
          - ssl certificate
            - customer certificate: filename = cert_chain.pem
            - customer private key: filename = mycert.key



and for more information about ILOM look at: Oracle Integrated Lights Out Manager (ILOM)
  


Bug 15582171 : SUNBT6871143 SSL - openssl docs recommend using chain function read certificate


 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback