Building the Cert file to create a new Trusted Point in UCS

1. Login to your Windows CA web services site (https://yourCAhostname.yourADdomain.com/certsrv) and click on Download a CA certificate, certificate chain, or CRL. Say yes to the box about "...attempting to perform a certificate operation on your behalf..."
2. On the next screen select the current root certificate, Select Base 64 encoding, and then click on "Download CA certificate". Then click "Save As..." and save the .cer file to a location that will be easy to get back to. Also name it something that makes sense like "Company-Issuing-CA.cer" so you can tell which cert it is.
3. We now need to create a .cer file of the Root CA to build the chain needed for the UCS server. So now open the certificate you just downloaded by double-clicking on it. Click on the Certification Tab on the top. Click on the "Company-Root-CA" in the top box.
4. Click "View Certificate" then go to the "Details" tab and click the "Copy to File..." button. Then click "Next".
5. Pick the Base-64 encoded X.509 (.CER) option, then click "Next"
6. Click the browse button and save the file in the same spot as the other .cer file and name it "Company-Root-CA.cer" then click "Next" then click finish.
7. We need to create a text file now that has both certs in it as a chain. This must be done in this format:
   -----BEGIN CERTIFICATE-----
   <Company-Issuing-CA.cer txt Contents>
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   <Company-Root-CA.cer txt Contents>
   -----END CERTIFICATE-----

This new text file is the file we will use to create a new "Trusted Point" in the UCS.

Creating the Trusted Point in UCS Manager

1. Login to Cisco UCS Manger and go to "Admin" > "Key Management" then click on the "Trusted Points" tab along the top of the right-hand section
2. Along the bottom of the page you will see a grey bar along the bottom with a circle with a "+" symbol in it with the word "Add" next to it, click on that.
3. Name the Trusted Point... Call it "Company-Issuing-CA" after the CA that we are using (although the name doesn't matter it's just easier to see in later steps). Next, paste the contents of the file we created in part one in the "Certificate Chain" box (the one with the two thumbprints ---BEGIN CERTIFICATE---- ----END CERTIFICATE---. Now say "Ok" and allow that box to close. You should now have a Trusted Point called "TP Company-Issuing-CA"
4. Now we need to create a new keyring. So, across the top of that panel again pick the "Key Rings" tab.
5. Along the bottom of the page you will see a grey bar along the bottom with a circle with a "+" symbol in it with the word "Add" next to it, click on that.
6. Name the keyring whatever you want - but I called it something like the hostname we are using (ucs-mini) and then select the "Mod2048" radio button. then say OK.
7. Click on your newly created Key Ring then right-click it and say "Show Navigator" which will pop a new dialog box.
8. Along the left, click the "Create Certificate Request" link in blue. Fill out the form that pops up. For DNS: make sure you are using whatever DNS name that you are using in DNS to resolve the chassis. Also, make sure you fill out the 3 IP addresses in the IPv4 tab across the bottom. This will create "Subject Alternative Names" in the cert so you can access the manager and both Fabric Interconnect's by IP without getting a cert warning. Once you are done say OK.
9. Now in that same box, if you expand the "Request" section on the right (it may already be expanded) you can see your request file needed to create the request in IIS on the CertSvr site. Copy the text using "Ctrl-C"
10. Now browse to https://yourCAserver.yourADdomain.com/certsrv/ and select "Request a certificate"
11. Click "advanced certificate request"
12. Next, click the link that starts with "Submit a certificate request by using a base-64 encoded CMC of PKCS#10 file..."
13. In the middle of the page - select the Certificate Template you want to use for the Certificate (Web Server)
14. Paste the info from step 9 you "Ctrl-C-ed" into the Saved Request box and click the "Submit >" button
15. Download the new certificate in the .CER file format (you will need to open it in notepad).
16. Back in UCS Manager open the properties of your Key Ring you created in steps 4-6, then expand the "Certificate" portion of the box along the right.
17. Pick the trusted point we will be associating with this certificate (the one we created earlier in steps 1-3).
18. Paste the text from your .cer file we requested from IIS in step 15. Then say "OK" to save that.

Activating the new PKI/SSL stuff

1. Select "Admin" > "Communnication Management" > "Communication Services"
2. Scroll down to the portion of the page on the right that says "HTTPS" look for the "Key Ring" drop down. Click on it and select the Key Ring you created in the previous section, then click the "Save Changes" button in the bottom right. It's going to tell you that you will be disconnected from your session which is fine you can accept that.
3. At this point you should be able to access UCS Manager from the hostname you gave it, the IP address without getting any SSL warnings. 

Reference Websites Used:
https://www.derekseaman.com/2012/04/install-trusted-ssl-certificate-in.html
https://community.cisco.com/t5/unified-computing-system/pki-cert-issue-ucs-manager/td-p/2004407
​

Applying a Certificate to a Dell iDRAC Controller when using an internal Enterprise CA using ADCS

Applying an internal SSL certificates to devices to make sure all devices can be opened easily and without warnings in all browsers. These directions have worked so far on all recent versions of iDRAC (7, 8, & 9). Note the Gotcha in step 6 when using an internal CA.
​

1. Logon to the Dell iDRAC Controller in question.
2. Go to "iDRAC Settings"
3. Then select "Network" in iDRAC 7 & 8 but "Connectivity" in iDRAC 9
4. Click on "SSL"
5. Now we need to generate the CSR (Certificate Signing Request) that we will supply when requesting the cert from our internal Certificate Authority. So click on "Generate CSR"
6. A form will appear. Fill out the fields as you normally would but pay special attention to the COMMON NAME:
   Common Name: idrac-[servicetag].ad-domain.com (so example idrac-2g8eg42.ad-domain.com) NOTE: Make sure you include the AD FQDN in this field or you won't be able to upload your cert that you request - it will error out)
7. Once you fill in the fields, click "Generate"
8. You will get a prompt to save a txt file save it and call it something like "idrac-10.10.4.119_csr.txt" then open the file.
9. Do a "Ctril-A" and a "Ctrl-C" to copy the entire request text.
10. Open the CA request website at:  https://yourCAhostname.yourdomain.com/certsrv/
11. Click on: "Request a Certificate"
12. Click on: "Advanced certificate request"
13. Click on: "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
14. Paste the contents of the request you copied earlier from the txt file to the top field labled: "Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7):"
15. Certificate Template should be "Web Server" (or the cert template you use internally for web servers)
16. In the attributes field, we need to enter some text to add a "Subject Alternative Name" to the cert that includes the IP address. This is so we don't get a warning when we access the iDRAC by the IP address. So, for an iDRAC that has the IP address of 10.10.4.119 that text would be "san:ipaddress=10.10.4.119" without the quotes (only the bold text).
17. Once all the above is filled out, click the "Submit >" button.
18. You will get a prompt that says something like "This web site is attempting to perform a digital certificate operation on your behalf..." it is OK to just say "Yes" to that prompt.
19. The certificate should be issued immediately, and you should see a screen that will allow you to download your certificate.
20. Switch the radio button to the "Base 64 encoded" format.
21. Click on the "Download certificate" link.
22. Save the certificate in a convenient spot with a .cer extension. (like [ipaddress].cer)
23. Back in iDRAC, click on the "Upload Server Certificate" link to upload your new certificate.
24. Choose the file you just created and say Ok or Apply (depending on the version of iDRAC).
25. You may get prompted to Reset iDRAC - if so go ahead and accept that. If you don't get prompted, you will need to reset the iDRAC before your certificate settings will apply.
26. Once the iDRAC is rebooted, you should reconnect and now your certificate will show as valid.
    
    NOTE: You MUST close the tab you have been working in for the new certificate to get loaded - simply refreshing the screen over and over might show the newly rebooted iDRAC, but it will NOT usually reload the new certificate. So close the tab and reload the iDRAC, and if at that point you still get a cert warning, you did something wrong. If not you are finished.

When using an internal Microsoft Certificate Authority, there was a small gotcha installing an SSL certificate on the  PRTG web interface.

Use this article in order to install the SSL certificate on the PRTG server. You will also need OpenSSL installed on a machine as well:
kb.paessler.com/en/topic/283-how-can-i-use-a-trusted-ssl-certificate-with-the-prtg-web-interface#reply-713

There is only ONE thing to note on this procedure. The COMMON NAME you give the certificate during the OpenSSL process is apparently not used at all with PRTG. So you will want to add ALL the Subject Alternative Names in the additional attributes portion of the request in IIS on CertSrv including the primary name you might use to access the server's web interface.

For example, on a server named PRTG1 you would included all these SANs:

​san:ipaddress=10.10.10.15&dns=prtg1&dns=prtg1.internaldomain.com

Which Translates to the following in the SAN portion of the cert:

IP Address=10.10.10.15
DNS Name=prtg1
DNS Name=prtg1.internaldomain.com

This allows us to hit PRTG from any of those names without a certificate warning.