Regenerate Expired Cisco UCS Certificate

The default (self-signed) UCSM keyring certificate must be manually regenerated if the cluster name changes or the certificate expires. The default certificate is valid for one year. Ideally you have replaced the default certificates but if you haven’t then you will see the following Major alert in UCS Manager when the certificate expires :

Screen Shot 2018-02-07 at 7.49.34 PM

The fix is pretty simple. This process doesn’t cause any cluster outage or downtime but ensure you have a valid change raised in your change management system.

Here are the steps:

  • Make sure Fabric Interconnects have correct time settings. It is best if they are synchronized with NTP server. This can be checked in UCS Manager.  Go to Admin tab then ‘All’ dropdown and pick Timezone Management. Details for NTP will be in there.
  • If all looks well then SSH to the UCS Manager Cluster IP of the UCS Domain. Make sure the user has admin credentials. If you are using the local admin account the following syntax might need to be used
  • Putty Session
login as: ucs-local\admin
Cisco UCS 6100 Series Fabric Interconnect
Using keyboard-interactive authentication.
Password:xxxxxxxx
  • Mac Terminal Session
ssh ucs-local\\admin@192.16060.1
Cisco UCS 6100Series Fabric Interconnect
Password:xxxxxxxxx
  • Once logged in run the following commands to regenerate the certificate
dev1-ucs-1-B# scope security
dev1-ucs-1-B /security # scope keyring default
dev1-ucs-1-B /security/keyring # set regenerate yes
dev1-ucs-1-B /security/keyring* # commit-buffer 
  • After you issue ‘commit-buffer‘ command, all GUI sessions will be disconnected. Log back onto the UCSM and accept new certificate. The Major error should be gone but it can take a few minutes to disappear
  • To verify the new certificate is validated it can be checked by running the following in putty or terminal
dev1-ucs-1-B /security/keyring* # scope security
dev1-ucs-1-B /security* # show keyring detail
  •  If the certificate has been generated correctly the you should get something similar to the following output
dev1-ucs-1-B /security* # show keyring detail
Keyring default:    
    RSA key modulus: Mod1024    
    Trustpoint CA:    
    Cert Status: Self Signed Certificate    
    Certificate:    
    Data:        
         Version: 3 (0x2)        
         Serial Number:            
         ec:6d:02:ca:1b:96:4c:2e        
    Signature Algorithm: sha1WithRSAEncryption        
    Issuer: CN=dev1-ucs-1-b        
    Validity            
       Not Before: Jun 18 13:35:49 2015 GMT            
       Not After : Jun 17 13:35:49 2016 GMT        
    Subject: CN=dev1-ucs-1-b        
    Subject Public Key Info:            
       Public Key Algorithm: rsaEncryption            
       RSA Public Key: (1024 bit)                
        Modulus (1024 bit):                    
          00:c5:c2:b8:d6:8b:06:e3:9a:3a:4b:d2:cf:e3:58:                    
          45:31:d9:e1:ef:0d:4b:ba:42:98:90:52:46:d3:a1:                    
          8b:a8:a5:97:6e:fe:1d:df:34:82:21:73:b0:20:1b:                    
          8e:da:eb:a3:5d:13:46:d0:fe:f8:91:f8:1d:0d:6f:                    
          41:2f:23:dc:96:47:9f:f2:5e:df:5a:08:94:3f:2c:                    
          1d:c8:d1:35:ce:83:5e:03:d3:9c:a7:81:0c:67:3b:                    
          d8:1f:94:43:46:d9:8b:0e:dc:f6:d9:41:4e:d4:64:                    
          bc:12:67:82:78:f0:00:71:6e:ef:a9:38:cb:f9:c0:                    
          3c:f6:cd:15:66:48:94:59:99                
           Exponent: 65537 (0x10001)        
     X509v3 extensions:            
       X509v3 Subject Alternative Name: critical                
         DNS:dev1-ucs-1-b.dev.local, IP Address:192.168.60.1, IP Address:192.168.60.2, IP Address:0:0:0:0:0:0:0:0    
    Signature Algorithm: sha1WithRSAEncryption
        b7:d9:64:41:24:08:cc:45:2d:a3:4e:c9:66:96:dc:1b:40:8d:        
        ad:1b:72:55:0f:70:93:d1:a4:77:65:be:9d:d7:d4:00:b6:de:        
        34:03:d4:c7:a2:01:7d:65:7f:ba:8f:95:d1:0e:ee:bf:eb:b4:        
        18:5f:15:26:51:9f:cf:34:33:bd:92:39:d2:12:f0:06:1f:ea:        
        16:60:e1:9d:e8:26:32:99:fe:b5:75:0a:fa:ee:ac:f3:e0:32:        
        f4:f3:51:65:1f:bf:0c:9b:3b:d3:9b:1c:dd:a2:cb:a8:86:45:        
        e3:b5:ef:2b:bc:83:69:c5:f6:66:6a:7a:b9:2a:79:f0:74:7e:        
        ab:ca
-----BEGIN CERTIFICATE-----
MIIB9TCCAV6gAwIBAgIJAO1tAsoclkwuMA0GCSqGSIb3DQEBBQUAMBcxFTATBgNV
BAMTDGRldjEtZmktMWItYjAeFw0xNTA2MTgxMzM1NDlaFw0xNjA2MTcxMzM1NDla
MBcxFTATBgNVBAMTDGRldjEtZmktMWItYjCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAycK41osG45o6S9LP41hFMdfh7w1LukKYkFJG06GLqKWZbv4d3zSCIXOw
IBuO2uujXRNG0P74kfgdDW9BLyPclkef8l7fWgiUPywdyNE1z4NeA9Ocp4EMZzvY
H5RDRtmLDtz22UFO1GS8EmeCePAAcW7vqTjL+cA89s0VZkiUWZkCAwEAAaNJMEcw
RQYDVR0RAQH/BDswOYIZZGV2MS1maS0xYi1iLmlnaS5pZy5sb2NhbIcECv9rKIcE
Cv9rKocQAAAAAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQUFAAOBgQC32WRBJAjM
RS2jTslmltwbQI2tG3JUD3CT0aR3Zb6d19QAtt40A9THogF9ZX+6j5XRDu6/67QZ
XxUmUZ/PNDO9kjnSEvAGH+oWYOGd6CYymf61dQr67qzz4DL08lFlH78MmzvTmx3d
osuohkXjte8rvINpxfZmanq5KnnwdH6ryg==
-----END CERTIFICATE----- 

 

Advertisements

One thought on “Regenerate Expired Cisco UCS Certificate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s