Regenerate Expired Cisco UCS Certificate

The default (self-signed) UCSM keyring certificate must be manually regenerated if the cluster name changes or the certificate expires. The default certificate is valid for one year. Ideally you have replaced the default certificates but if you haven’t then you will see the following Major alert in UCS Manager when the certificate expires :

Screen Shot 2018-02-07 at 7.49.34 PM

The fix is pretty simple. This process doesn’t cause any cluster outage or downtime but ensure you have a valid change raised in your change management system.

Here are the steps:

  • Make sure Fabric Interconnects have correct time settings. It is best if they are synchronized with NTP server. This can be checked in UCS Manager.  Go to Admin tab then ‘All’ dropdown and pick Timezone Management. Details for NTP will be in there.
  • If all looks well then SSH to the UCS Manager Cluster IP of the UCS Domain. Make sure the user has admin credentials. If you are using the local admin account the following syntax might need to be used
  • Putty Session
login as: ucs-local\admin
Cisco UCS 6100 Series Fabric Interconnect
Using keyboard-interactive authentication.
  • Mac Terminal Session
ssh ucs-local\\admin@192.16060.1
Cisco UCS 6100Series Fabric Interconnect
  • Once logged in run the following commands to regenerate the certificate
dev1-ucs-1-B# scope security
dev1-ucs-1-B /security # scope keyring default
dev1-ucs-1-B /security/keyring # set regenerate yes
dev1-ucs-1-B /security/keyring* # commit-buffer 
  • After you issue ‘commit-buffer‘ command, all GUI sessions will be disconnected. Log back onto the UCSM and accept new certificate. The Major error should be gone but it can take a few minutes to disappear
  • To verify the new certificate is validated it can be checked by running the following in putty or terminal
dev1-ucs-1-B /security/keyring* # scope security
dev1-ucs-1-B /security* # show keyring detail
  •  If the certificate has been generated correctly the you should get something similar to the following output
dev1-ucs-1-B /security* # show keyring detail
Keyring default:    
    RSA key modulus: Mod1024    
    Trustpoint CA:    
    Cert Status: Self Signed Certificate    
         Version: 3 (0x2)        
         Serial Number:            
    Signature Algorithm: sha1WithRSAEncryption        
    Issuer: CN=dev1-ucs-1-b        
       Not Before: Jun 18 13:35:49 2015 GMT            
       Not After : Jun 17 13:35:49 2016 GMT        
    Subject: CN=dev1-ucs-1-b        
    Subject Public Key Info:            
       Public Key Algorithm: rsaEncryption            
       RSA Public Key: (1024 bit)                
        Modulus (1024 bit):                    
           Exponent: 65537 (0x10001)        
     X509v3 extensions:            
       X509v3 Subject Alternative Name: critical                , IP Address:, IP Address:, IP Address:0:0:0:0:0:0:0:0    
    Signature Algorithm: sha1WithRSAEncryption



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s