Hey,
So I've been struggling to find a good guide for how to use ACDS (Active Directory Certificate Services) to sign certificates for my Supermicro motherboards IPMI web pages. I haven't really found anything that walks through all the steps, so I tried my best to create a comprehensive start-to-finish guide on how to do it from a layman's perspective.
Please, keep in mind that I don't really have any idea what I'm doing, but what I do know is that my f***ing IPMI pages no longer nag me about my connection being insecure.
ADCS really shines for deploying certificates to Windows AD members (your DCs, VMs, clients, etc.) using AD GPO/gpupdate. That was really cool once I figured that out (again, no real idea what I'm doing - just works). If anyone knows if it's possible to deploy certs using GPO+Samba, please reply to thread (!!!)
But making a certificate for web sites, like Supermicro IPMI pages, not so clear.
Here's how I made it work
Create_CA_certificate_using_ADCS_for_Supermicro_IPMI_BNC.txt
Assumptions:
1) You have a working copy of ADCS and will be using a Windows client (you could probably do this in Linux or MacOS. I won't be able to give you the exact steps, but I'm sure you'll figure it out)
2) You have created and deployed template in your ADCS CA for generating certificate requests. If you have no idea what I'm talking about, go here and read or watch this (video at bottom): microsoft-certificate-authority-template-for-ssl-certificate-creation-in-vsphere-6-7 %
3) You have a copy of OpenSSL for Windows installed or a copy of git bash (git bash - which I affectionately refer to herein as 'gash' - is easiest to use, as it's nice to have some posix-like utils since Windows CLI sucks).
Create private key:
Open 'gash' and create a working directory where you will save all your files
e.g.
Using OpenSSL, create an RSA key - if prompted for passphrase, do not type any characters, just hit enter
(will default to 2048, but can enter number like 1024, 2048, 4096 at end for desired strength)
Generate a certificate signing request
You will be prompted to enter information, here is a real-world example (again, hit enter when promted for password - no passwords!):
Copy the CSR to your clipboard and navigate to https://your.adcs.webserver/certsrv
Copy from here:
to here (will look different, obviously - truncated for security).
Once at http://your.adcs.webserver/certsrv click 'request a certificate' and then 'advanced certificate request'
Choose 'Submit a certificate request by using a base-64-encoded CMC ... '
In the 'saved request' field paste your server.csr cat and underneath the field choose the name of your template you created and deployed in ADCS earlier (e.g. I called mine 'motherboards', but I suppose something like 'BMC' or 'IPMI' or 'Supermicro' might make more sense...)
You can give it a friendly name in the field, or oherwise it'll be called 'certnew.cer'
click 'submit' and 'yes' at the nag.
Select 'Base 64 encoded' and click 'download certificate'.
Note: You can download the chain if you want to get a copy of your root CA, which can be useful for installing in Firefox (for example), but then you have to open it and export the two resulting files into base64-encoded .cer files.
Save it in your work folder you created at the start of this adventure.
Edit: I notice after doing this 3 times now that there might be some stipulations as to what's required on different boards, maybe to do with BMC firmware version, board version, etc. For one board, I had to rename the .cer file I had just downloaded to .pem, while on others it was not required. If you need to rename the file, it's just:
It will still be the same base64-encoded ASCII file, just with a different file extension.
Also, on one board I could not get this to work in IE11, which is what I use for ADCS because, you know, Microsoft... so I jumped over to Firefox ESR 52.9.0 64-bit for the IPMI bit. On another board I tried this did not matter.
So if you're having issues just try different things out. Maybe you'll run into some unforseen issue, too! (oh, the glory!)
Now navigate to your IPMI web page --> configuration --> SSL Certification
Upload the .pem file you just renamed to 'New SSL Certificate' and upload the 'private-key.pem' you made in the very first step to 'New Private Key'. Then hit the 'Upload' button.
You'll get this message:
If you imported your root CA into Firefox, or you're using another browser like Chrome that doesn't manage its own certificates, then when you refresh the page you should notice there's no nag (or in the case of Firefox, at least less naggy - mine was still complaining about my root CA cert not being secure which is bullshit but I'm tired of ****ing with it for right now)
Try loading the page in Chrome or IE and maybe it'll be less naggy. You can inspect the certificate, it should say the FQDN of your ADCS root CA.
:golfclap:
Questions???
So I've been struggling to find a good guide for how to use ACDS (Active Directory Certificate Services) to sign certificates for my Supermicro motherboards IPMI web pages. I haven't really found anything that walks through all the steps, so I tried my best to create a comprehensive start-to-finish guide on how to do it from a layman's perspective.
Please, keep in mind that I don't really have any idea what I'm doing, but what I do know is that my f***ing IPMI pages no longer nag me about my connection being insecure.
ADCS really shines for deploying certificates to Windows AD members (your DCs, VMs, clients, etc.) using AD GPO/gpupdate. That was really cool once I figured that out (again, no real idea what I'm doing - just works). If anyone knows if it's possible to deploy certs using GPO+Samba, please reply to thread (!!!)
But making a certificate for web sites, like Supermicro IPMI pages, not so clear.
Here's how I made it work
Create_CA_certificate_using_ADCS_for_Supermicro_IPMI_BNC.txt
Assumptions:
1) You have a working copy of ADCS and will be using a Windows client (you could probably do this in Linux or MacOS. I won't be able to give you the exact steps, but I'm sure you'll figure it out)
2) You have created and deployed template in your ADCS CA for generating certificate requests. If you have no idea what I'm talking about, go here and read or watch this (video at bottom): microsoft-certificate-authority-template-for-ssl-certificate-creation-in-vsphere-6-7 %
3) You have a copy of OpenSSL for Windows installed or a copy of git bash (git bash - which I affectionately refer to herein as 'gash' - is easiest to use, as it's nice to have some posix-like utils since Windows CLI sucks).
Create private key:
Open 'gash' and create a working directory where you will save all your files
e.g.
Code:
$ cd c:/users/username/Documents/
$ mkdir x11sslf
$ cd x11sslf
Code:
$ openssl genrsa -out private-key.pem
Generate a certificate signing request
Code:
$ openssl req -new -key private-key.pem -out server.csr
Code:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Olympia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domainname.Com
Organizational Unit Name (eg, section) []:Backroom
Common Name (e.g. server FQDN or YOUR name) []:x11sslf.domainname.com
Email Address []:contact@averyfreeman.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Code:
$ cat server.csr
Code:
-----BEGIN CERTIFICATE REQUEST-----
00000000000000000000000000000000000000
-----END CERTIFICATE REQUEST-----
Once at http://your.adcs.webserver/certsrv click 'request a certificate' and then 'advanced certificate request'
Choose 'Submit a certificate request by using a base-64-encoded CMC ... '
In the 'saved request' field paste your server.csr cat and underneath the field choose the name of your template you created and deployed in ADCS earlier (e.g. I called mine 'motherboards', but I suppose something like 'BMC' or 'IPMI' or 'Supermicro' might make more sense...)
You can give it a friendly name in the field, or oherwise it'll be called 'certnew.cer'
click 'submit' and 'yes' at the nag.
Select 'Base 64 encoded' and click 'download certificate'.
Note: You can download the chain if you want to get a copy of your root CA, which can be useful for installing in Firefox (for example), but then you have to open it and export the two resulting files into base64-encoded .cer files.
Save it in your work folder you created at the start of this adventure.
Edit: I notice after doing this 3 times now that there might be some stipulations as to what's required on different boards, maybe to do with BMC firmware version, board version, etc. For one board, I had to rename the .cer file I had just downloaded to .pem, while on others it was not required. If you need to rename the file, it's just:
Code:
$ mv certname.cer x11sslf-domainname-com.pem
Also, on one board I could not get this to work in IE11, which is what I use for ADCS because, you know, Microsoft... so I jumped over to Firefox ESR 52.9.0 64-bit for the IPMI bit. On another board I tried this did not matter.
So if you're having issues just try different things out. Maybe you'll run into some unforseen issue, too! (oh, the glory!)
Now navigate to your IPMI web page --> configuration --> SSL Certification
Upload the .pem file you just renamed to 'New SSL Certificate' and upload the 'private-key.pem' you made in the very first step to 'New Private Key'. Then hit the 'Upload' button.
You'll get this message:
Code:
The device is rebooting itself.
You will be redirected to the login page in 60 seconds.
Click here if you are not redirected automatically.
Try loading the page in Chrome or IE and maybe it'll be less naggy. You can inspect the certificate, it should say the FQDN of your ADCS root CA.
:golfclap:
Questions???
Last edited: