Regenerate Self-Signed Default SSL Certificate Issued By Oracle

Language:

As of firmware version 3.2.8, each Oracle ILOM SP, CMM, and FMM ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a Custom SSL Certificate is not configured.

The unique Default SSL Certificate is initially generated at the factory with a unique host certificate fingerprint value. Oracle ILOM automatically regenerates a new version of the Default SSL Certificate and fingerprint whenever its configuration properties are reset to defaults. System administrators, at any time, can choose to replace the existing Default SSL Certificate and fingerprint with a newer version. For instructions for regenerating the Default SSL Certificate and fingerprint in Oracle ILOM, see the following information.

Before You Begin

Admin (a) role is required to regenerate the Default SSL Certificate.
Oracle ILOM firmware version 3.2.8 or later must be in use.
By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096.
All Oracle ILOM web interface and KVMS console user connections are immediately disconnected upon regenerating a new Default SSL Certificate.
When the Default (self-signed) SSL Certificate is used in Oracle ILOM, additional certificate checks will take place to protect Oracle ILOM from man-in-the-middle attacks. For instance:
- Oracle ILOM remote KVMS console users will be prompted to manually validate the self-signed SSL certificate prior to gaining access to the Oracle ILOM Remote System Console / Remote System Console Plus. To manually validate the self-signed SSL certificate, the user must ensure that the host fingerprint value on the Check Certificate Warning dialog box matches the host fingerprint value issued by Oracle. For additional information about validating the host fingerprint value assigned to the self-signed Default SSL Certificate, see Resolving Warning Messages for Self-Signed SSL Certificate in Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 4.0.x.
  
  Note - The host fingerprint value issued by Oracle appears on the Management Access > SSL Certificate web page and the Default Certificate CLI target (/SP|CMM|FMM/services/https/ssl/default_cert)
- A Video Redirection Error dialog box appears when a change to the original Default SSL Certificate and fingerprint is detected. In this case, the user can either edit the local host fingerprint file with the last fingerprint value issued by Oracle or remove the host fingerprint file from the local user directory. Otherwise, the user will be prevented from gaining access to the Oracle ILOM Remote System Console / Remote System Console Plus. For additional information for resolving the Video Redirection Error, see, Resolving Warning Messages for Self-Signed SSL Certificate in Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 4.0.x
  
  Note - The Certificate Checks described above will not occur when a custom signed SSL Certificate is configured in Oracle ILOM. For instructions on how to obtain and upload a custom signed SSL Certificate, see these topics: Obtain a Custom SSL Certificate and Private Key Using OpenSSLToolkit and Upload a Custom SSL Certificate and Private Key to Oracle ILOM.

To regenerate the Default (self-signed) SSL Certificate in Oracle ILOM, follow these steps:

In the Oracle ILOM web interface, click ILOM Administration > Management Access > SSL Certificate.
The SSL Certificate page appears.
In the Default Certificate section of the SSL Certificate page, perform the following steps:
1. (Optional) To modify the Default SSL Certificate Key Size (3072), click the Key Size list box and select the appropriate key size.
2. To regenerate the Default SSL Certificate and the host fingerprint value, click Create.
  A message appears confirming that you want to regenerate a new Default SSL Certificate and fingerprint.
In the Confirmation Message dialog box, click OK to proceed.
View the Create SSL Certificate Results field to track the creation status.
For instance, one or more of the following status messages might appear:
- Running — This status message appears when Oracle ILOM is in the process of creating a new Default SSL Certificate and fingerprint.
  Upon creating the new Default SSL Certificate and fingerprint, all Oracle ILOM web interface and KVMS console user connections will be disconnected. KVMS and web interface users can immediately log in to Oracle ILOM after being disconnected.
- New Cert Has Been Created — This status message appears after a new Default SSL Certificate was generated by a user.
- Certificate Creation Failed —This status message appears when Oracle ILOM was unable to process the request to create a new Default SSL Certificate and fingerprint.
- (None) — This status message appears when the last Default SSL Certificate was generated by Oracle ILOM, or when a user changed the Default SSL Certificate key size in the ILOM CLI but did not regenerate the Default SSL Certificate.

Related Information

For Oracle ILOM CLI SSL Certificate properties, see SSL Certificate and Private Key Configuration Properties for HTTPS Web Server in Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 4.0.x