[Linux-PowerEdge] OMSA 7.4.0 and sec_error_ca_cert_invalid on new CentOS6.5 install

Shane Forsythe sforsyt at gmail.com
Mon Oct 20 11:11:36 CDT 2014


Correction, the line

  cp keystore.db keystore.dell

should be

  mv keystore.db keystore.dell



On Mon, Oct 20, 2014 at 11:57 AM, Shane Forsythe <sforsyt at gmail.com> wrote:

> These are steps I took to replace the keystore.db file and use my own
> Certificate Authority to sign CSR from the keytool. Caveat that doing so on
> your own machines is at your own risk.
>
> # Presumes that you have your own CA setup (fairly easy, google for
> instructions and follow)
> # Firefox has no way of automatically importing CA certs from command line
> for multiple profiles, so you must import your CA.cert into Mozilla, then
> find the cert.db in the profile and copy to other machines if you wish to
> 'automate'
>
> cd /opt/dell/srvadmin/lib64/openmanage/apache-tomcat/conf
> cp keystore.db keystore.dell
> ## The keything when you generate the key is to use the -alias dell and
> during prompt for "what is your first and last name" , put the 'cname' you
> would like if you were generating a csr for ssl, I used localhost as I
> browse OMSA locally.  If you enable external viewing of omsa, use the
> hostname you use, ip addresses will not work
> ../../jre/bin/keytool -genkey -keyalg RSA -alias dell -keystore
> keystore.db -storepass password -validity 36000 -keysize 2048
> ../../jre/bin/keytool -certreq -keyalg RSA -alias dell -keystore
> keystore.db -file omsa.csr
>
> ## Copy omsa.csr to your CA. You need to use the following line to make
> sure keytool/openssl are compatible.
>
> openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -in omsa.csr -out
> omsa.cert.pem -days 3650 -CAcreateserial
>
> ## Copy omsa.cert.pem and ca.cert.pem back to your machine that generated
> the csr
> cd /opt/dell/srvadmin/lib64/openmanage/apache-tomcat/conf
> ../../jre/bin/keytool -import -keystore keystore.db -file /tmp/ca.cert.pem
> -alias theCARoot
> ../../jre/bin/keytool -import -keystore keystore.db -file
> /tmp/omsa.cert.pem -alias dell
>
> ### edit the server.xml line, and change the keypass and keystorepass  to
> what you used when you generated keystore.db
>   <Connector compression="force" SSLEnabled="true" clientAuth="false"
> keystoreFile="conf/keystore.db" keystorePass="password" keyPass="password"
> maxThreads="150" maxPostSize="6291456" port="1311" protocol="HTTP/1.1"
> scheme="https" secure="true" sslProtocol="TLS"
> ciphers="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
>
> ## restart OMSA services
> /opt/dell/srvadmin/sbin/srvadmin-services.sh restart
>
>
> On Mon, Oct 20, 2014 at 3:02 AM, <Viswanath_Ponnuru at dell.com> wrote:
>
>> The importing of CA signed certificates-OMSA CLI feature is planned to
>> deliver as part OMSA 8.1 release.
>>
>> Regards
>>
>> Vish Ponnuru.
>>
>> -----Original Message-----
>> From: linux-poweredge-bounces-Lists On Behalf Of Stefan M. Radman
>> Sent: Saturday, October 18, 2014 4:25 AM
>> To: linux-poweredge-Lists
>> Subject: Re: [Linux-PowerEdge] OMSA 7.4.0 and sec_error_ca_cert_invalid
>> on new CentOS6.5 install
>>
>> Same seen with firefox 31.1.0 on RHEL 6.5 server
>>
>> any solution appreciated
>>
>> Thanks
>> Stefan
>>
>> On Oct 17, 2014, at 5:42 PM, Shane Forsythe wrote:
>>
>> > The default install of firefox on any new centos machines is now
>> invalidating the certificate with OMSA. I have found some documentation
>> about updating the cert once you are logged in, but does anyone know of a
>> way to update the cert from the command line?
>> >
>> > Does Dell have a ca.cert file we can import, or we have to use our own
>> ca and self-signed keys?
>> >
>> > Thanks
>> > Shane
>> >
>> > _______________________________________________
>> > Linux-PowerEdge mailing list
>> > Linux-PowerEdge at dell.com
>> > https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>>
>> _______________________________________________
>> Linux-PowerEdge mailing list
>> Linux-PowerEdge at dell.com
>> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>>
>> _______________________________________________
>> Linux-PowerEdge mailing list
>> Linux-PowerEdge at dell.com
>> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.us.dell.com/pipermail/linux-poweredge/attachments/20141020/6b4abc4b/attachment-0001.html 


More information about the Linux-PowerEdge mailing list