Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Obtain a Custom SSL Certificate and Private Key Using OpenSSLToolkit

This procedure is a simplified description on how to obtain a custom SSL Certificate using the OpenSSL toolkit. Your requirement to use a temporary self-signed or a certificate authority-signed certificate should be determined by your site administrator or security officer. In the event you do need to obtain a custom SSL certificate (temporary self-signed or certificate authority-signed), you can follow these example OpenSSL command-line instructions below.


Note - Oracle ILOM does not require you to use OpenSSL to generate SSL certificates. OpenSSL is used in this procedure for demonstration purposes only. Other tools are available for generating SSL certificates.

Note - If further OpenSSL instructions are required to generate the SSL certificate, you should consult the user documentation provided with the OpenSSL toolkit.
  1. Create a network share or local directory to store the certificate and private key.
  2. To generate a new RSA private key using the OpenSSL toolkit, type:

    openssl genrsa -out <foo>.key 2048

    Where <foo> equals the name of the private key.


    Note - This private key is a 2048 bit RSA key which is stored in a PEM format so that it is readable as ASCII text.
  3. To generate a certificate signing request (CSR) using the OpenSSL toolkit, type:

    openssl req -new -key <foo>.key -out <foo>.csr

    Where <foo> equals the name of the certificate signing request.


    Note - During the generation of the CSR, you will be prompted for several pieces of information.

    A <foo>.csr file should now appear in your current working directory.

  4. To generate an SSL certificate, perform one of the following:
    • Generate a temporary self-signed certificate (good for 365 days).

      The self-signed SSL certificate is generated from the server.key private key and server.csr files.

      Using the OpenSSL toolkit, type:

      openssl x509 -req -days 365 -in <foo>.csr

      -signkey <foo>.key -out <foo>.cert

      Where <foo> equals the name assigned to the private key (.key) or certificate (.cert).


      Note - This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted. If this error is unacceptable, you should request the Certificate Authority to issue you a signed certificate.
    • Obtain an officially signed certificate from a certificate authority provider.

      Submit your certificate signing request (<foo>.csr) to an SSL certificate Authority provider. Most certificate authority providers require you to cut and paste the CSR output in a web application screen. It can typically take up to seven business days to receive your signed certificate.

  5. Upload the new SSL certificate and private key to Oracle ILOM.

    See the following instructions, Upload a Custom SSL Certificate and Private Key to Oracle ILOM.