Regenerate Self-Signed Default SSL Certificate Issued By Oracle
As of firmware version 3.2.8, each Oracle ILOM ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a Custom SSL Certificate is not configured.
The unique Default SSL Certificate is initially generated at the factory with a unique host certificate fingerprint value. Oracle ILOM automatically regenerates a new version of the Default SSL Certificate and fingerprint whenever its configuration properties are reset to defaults. System administrators, at any time, can choose to replace the existing Default SSL Certificate and fingerprint with a newer version. For instructions for regenerating the Default SSL Certificate and fingerprint in Oracle ILOM, see the following information.
Before You Begin
- Admin (
a
) role is required to regenerate the Default SSL Certificate. - By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096.
- All Oracle ILOM web interface and KVMS console user connections are immediately disconnected upon regenerating a new Default SSL Certificate.
- When the Default (self-signed) SSL Certificate is used in Oracle ILOM,
additional certificate checks will take place to protect Oracle ILOM from
man-in-the-middle attacks. For instance:
- Oracle ILOM remote KVMS console users will be prompted to
manually validate the self-signed SSL certificate prior to gaining access to
the Oracle ILOM Remote System Console / Remote System Console Plus. To manually
validate the self-signed SSL certificate, the user must ensure that the host
fingerprint value on the Check Certificate Warning dialog box matches the host
fingerprint value issued by Oracle. For additional information about validating
the host fingerprint value assigned to the self-signed Default SSL Certificate,
see Resolving Warning Messages for Self-Signed
SSL Certificate in Oracle ILOM Administrator’s
Guide for Configuration and Maintenance Firmware Release 5.0.x.
Note:
The host fingerprint value issued by Oracle appears on the Management Access > SSL Certificate web page and the Default Certificate CLI target(SP/services/https/ssl/default_cert
) - A Video Redirection Error dialog box appears when a change to the
original Default SSL Certificate and fingerprint is detected. In this case, the
user can either edit the local host fingerprint file with the last fingerprint
value issued by Oracle or remove the host fingerprint file from the local user
directory. Otherwise, the user will be prevented from gaining access to the
Oracle ILOM Remote System Console / Remote System Console Plus. For additional
information for resolving the Video Redirection Error, see, Resolving Warning Messages for Self-Signed SSL Certificate
in the Oracle ILOM Administrator’s Guide for
Configuration and Maintenance Firmware Release 5.0.x
Note:
The Certificate Checks described above will not occur when a custom signed SSL Certificate is configured in Oracle ILOM. For instructions on how to obtain and upload a custom signed SSL Certificate, see these topics: Obtain a Custom SSL Certificate and Private Key Using OpenSSL Toolkit and Upload a Custom SSL Certificate and Private Key to Oracle ILOM.
- Oracle ILOM remote KVMS console users will be prompted to
manually validate the self-signed SSL certificate prior to gaining access to
the Oracle ILOM Remote System Console / Remote System Console Plus. To manually
validate the self-signed SSL certificate, the user must ensure that the host
fingerprint value on the Check Certificate Warning dialog box matches the host
fingerprint value issued by Oracle. For additional information about validating
the host fingerprint value assigned to the self-signed Default SSL Certificate,
see Resolving Warning Messages for Self-Signed
SSL Certificate in Oracle ILOM Administrator’s
Guide for Configuration and Maintenance Firmware Release 5.0.x.
To regenerate the Default (self-signed) SSL Certificate in Oracle ILOM, follow these steps:
Related Information
- Modifying Default Management Access Configuration Properties (Table: SSL Certificate and Private Key Configuration Properties for HTTPS Web Server in the Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 5.0.x)