How-To: Use OpenSSL and ADCS for creating and signing Supermicro IPMI BMC SSL certificates

Who would ever want to do this?


  • Total voters
    7
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

AveryFreeman

consummate homelabber
Mar 17, 2017
413
54
28
42
Near Seattle
averyfreeman.com
Hey,

So I've been struggling to find a good guide for how to use ACDS (Active Directory Certificate Services) to sign certificates for my Supermicro motherboards IPMI web pages. I haven't really found anything that walks through all the steps, so I tried my best to create a comprehensive start-to-finish guide on how to do it from a layman's perspective.

Please, keep in mind that I don't really have any idea what I'm doing, but what I do know is that my f***ing IPMI pages no longer nag me about my connection being insecure.

ADCS really shines for deploying certificates to Windows AD members (your DCs, VMs, clients, etc.) using AD GPO/gpupdate. That was really cool once I figured that out (again, no real idea what I'm doing - just works). If anyone knows if it's possible to deploy certs using GPO+Samba, please reply to thread (!!!)

But making a certificate for web sites, like Supermicro IPMI pages, not so clear.

Here's how I made it work

Create_CA_certificate_using_ADCS_for_Supermicro_IPMI_BNC.txt

Assumptions:

1) You have a working copy of ADCS and will be using a Windows client (you could probably do this in Linux or MacOS. I won't be able to give you the exact steps, but I'm sure you'll figure it out)

2) You have created and deployed template in your ADCS CA for generating certificate requests. If you have no idea what I'm talking about, go here and read or watch this (video at bottom): microsoft-certificate-authority-template-for-ssl-certificate-creation-in-vsphere-6-7 %

3) You have a copy of OpenSSL for Windows installed or a copy of git bash (git bash - which I affectionately refer to herein as 'gash' - is easiest to use, as it's nice to have some posix-like utils since Windows CLI sucks).

Create private key:

Open 'gash' and create a working directory where you will save all your files

e.g.
Code:
$ cd c:/users/username/Documents/
$ mkdir x11sslf
$ cd x11sslf
Using OpenSSL, create an RSA key - if prompted for passphrase, do not type any characters, just hit enter
Code:
$ openssl genrsa -out private-key.pem
(will default to 2048, but can enter number like 1024, 2048, 4096 at end for desired strength)

Generate a certificate signing request
Code:
$ openssl req -new -key private-key.pem -out server.csr
You will be prompted to enter information, here is a real-world example (again, hit enter when promted for password - no passwords!):
Code:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) []:Olympia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domainname.Com
Organizational Unit Name (eg, section) []:Backroom
Common Name (e.g. server FQDN or YOUR name) []:x11sslf.domainname.com
Email Address []:contact@averyfreeman.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Copy the CSR to your clipboard and navigate to https://your.adcs.webserver/certsrv
Code:
$ cat server.csr
Copy from here:
Code:
-----BEGIN CERTIFICATE REQUEST-----
00000000000000000000000000000000000000
-----END CERTIFICATE REQUEST-----
to here (will look different, obviously - truncated for security).

Once at http://your.adcs.webserver/certsrv click 'request a certificate' and then 'advanced certificate request'

Choose 'Submit a certificate request by using a base-64-encoded CMC ... '

In the 'saved request' field paste your server.csr cat and underneath the field choose the name of your template you created and deployed in ADCS earlier (e.g. I called mine 'motherboards', but I suppose something like 'BMC' or 'IPMI' or 'Supermicro' might make more sense...)

You can give it a friendly name in the field, or oherwise it'll be called 'certnew.cer'

click 'submit' and 'yes' at the nag.

Select 'Base 64 encoded' and click 'download certificate'.

Note: You can download the chain if you want to get a copy of your root CA, which can be useful for installing in Firefox (for example), but then you have to open it and export the two resulting files into base64-encoded .cer files.

Save it in your work folder you created at the start of this adventure.

Edit: I notice after doing this 3 times now that there might be some stipulations as to what's required on different boards, maybe to do with BMC firmware version, board version, etc. For one board, I had to rename the .cer file I had just downloaded to .pem, while on others it was not required. If you need to rename the file, it's just:

Code:
$ mv certname.cer x11sslf-domainname-com.pem
It will still be the same base64-encoded ASCII file, just with a different file extension.

Also, on one board I could not get this to work in IE11, which is what I use for ADCS because, you know, Microsoft... so I jumped over to Firefox ESR 52.9.0 64-bit for the IPMI bit. On another board I tried this did not matter.

So if you're having issues just try different things out. Maybe you'll run into some unforseen issue, too! (oh, the glory!)

Now navigate to your IPMI web page --> configuration --> SSL Certification

Upload the .pem file you just renamed to 'New SSL Certificate' and upload the 'private-key.pem' you made in the very first step to 'New Private Key'. Then hit the 'Upload' button.

You'll get this message:
Code:
The device is rebooting itself.
You will be redirected to the login page in 60 seconds.
Click here if you are not redirected automatically.
If you imported your root CA into Firefox, or you're using another browser like Chrome that doesn't manage its own certificates, then when you refresh the page you should notice there's no nag (or in the case of Firefox, at least less naggy - mine was still complaining about my root CA cert not being secure which is bullshit but I'm tired of ****ing with it for right now)

Try loading the page in Chrome or IE and maybe it'll be less naggy. You can inspect the certificate, it should say the FQDN of your ADCS root CA.

:golfclap:

Questions???
 
Last edited:

rippiedoos

New Member
Mar 7, 2018
26
8
3
this is cool, but I wish there was a guide to doing this with Letsencrypt.
Doesn’t work or is a big PITA as you would have to do this every 90 days. Letsencrypt is only valid for a very short time and they want to shorten it even further so you would need to do this even more often.

Unless someone could completely script this with ssh-commands or some API but that completely depends on the BMC-version if it is even available.
 
  • Like
Reactions: AveryFreeman

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
this is cool, but I wish there was a guide to doing this with Letsencrypt.
Doesn’t work or is a big PITA as you would have to do this every 90 days. Letsencrypt is only valid for a very short time and they want to shorten it even further so you would need to do this even more often.

Unless someone could completely script this with ssh-commands or some API but that completely depends on the BMC-version if it is even available.
letencrypt requires you to have access to a public DNS record (it requires DNS validation). In other words, in order for you to say that your BMC is bounded to foo.bar.net, you must control bar.net, create an A record for foo.bar.net, have it be reachable on a publicly addressable IP address, create a port redirect to a server running say, certbot that creates the Letsencrypt request (because the certbot will need to bring up a temp web server there that the EFF must see in order to verify that the DNS is valid/goes somewhere sane and controlled by you), issue you the cert, send the done certs to the BMC, and then reboot the BMC so the built-in web server accepts and presents the cert. But that's a cert valid for only 90 days. For some of those equipment that will never, ever see the other side of the firewall (privately addressable on the corporate-side of the DNS view), that's overkill. I mean, the instructions are not that hard. I am guessing you can read between the lines on the DD-WRT LetsEncrypt guide and make the proper parameter changes to suit the needs of the BMC web server.

If you have to go through a DNS-01 challenge just for a 90 day cert, you might as well park the certbot server on the 80, request for a wildcard/multi-SAN (Subject Alternative Name) cert and then copy the certs to whatever equipment you use (bar.net; ipmi1.bar.net; ipmi2.bar.net, www.bar.net, sql.bar.net, etc). If you got the certbot to auto-renew and also scp update/reboot the BMC every 89 days, well, it'll make things easier.
 

AveryFreeman

consummate homelabber
Mar 17, 2017
413
54
28
42
Near Seattle
averyfreeman.com
Doesn’t work or is a big PITA as you would have to do this every 90 days. Letsencrypt is only valid for a very short time and they want to shorten it even further so you would need to do this even more often.
I agree, it WOULD be a PITA if you were limited to 90 days, but you can specify lengths of any number of years you wish by adjusting the RSA length (1024, 2048, 4096, etc.) when making the template

The beauty of ADCS is using GPO to automatically issue certificates to Windows machines. I was just trying to illuminate that if you have the infrastructure to issue certificates already using Windows Server, here's how it could be used for non-Windows machines.

I'm by no means saying it's any better than let's-encrypt, which I haven't used, but heard is fabulous.
 

AveryFreeman

consummate homelabber
Mar 17, 2017
413
54
28
42
Near Seattle
averyfreeman.com
letencrypt requires you to have access to a public DNS record (it requires DNS validation). In other words, in order for you to say that your BMC is bounded to foo.bar.net, you must control bar.net, create an A record for foo.bar.net, have it be reachable on a publicly addressable IP address, create a port redirect to a server running say, certbot that creates the Letsencrypt request (because the certbot will need to bring up a temp web server there that the EFF must see in order to verify that the DNS is valid/goes somewhere sane and controlled by you), issue you the cert, send the done certs to the BMC, and then reboot the BMC so the built-in web server accepts and presents the cert. But that's a cert valid for only 90 days. For some of those equipment that will never, ever see the other side of the firewall (privately addressable on the corporate-side of the DNS view), that's overkill. I mean, the instructions are not that hard. I am guessing you can read between the lines on the DD-WRT LetsEncrypt guide and make the proper parameter changes to suit the needs of the BMC web server.

If you have to go through a DNS-01 challenge just for a 90 day cert, you might as well park the certbot server on the 80, request for a wildcard/multi-SAN (Subject Alternative Name) cert and then copy the certs to whatever equipment you use (bar.net; ipmi1.bar.net; ipmi2.bar.net, www.bar.net, sql.bar.net, etc). If you got the certbot to auto-renew and also scp update/reboot the BMC every 89 days, well, it'll make things easier.
Damn, I wish I knew what you were saying, but it does make me glad that I re-created my entire domain to be the same name as my public-facing DNS.

I am so new to certificates. So much to learn.

Do you know of any way lets-encrypt and ADCS can be integrated? Having automated certs for my web servers derived from a cert made by my internal CA would be very convenient.
 

WANg

Well-Known Member
Jun 10, 2018
1,302
967
113
46
New York, NY
Well, okay - think of it this way - AD is Microsoft, and unless you run a 24/7 Microsoft based infrastructure (AD/DNS/DHCP+Certificate issuing services), you will normally not run ADCS just for that (I certainly don't at home - if I build AD based servers it'll just be a test domain and vanish right after whatever I am testing). You could in theory automate the entire LetsEncrypt process via Certbot on a Linux VM, and once you roll out Multi-SAN certs, just scp the results over to the Windows side, then write some Powershell scripts to cycle it periodically.
 
  • Like
Reactions: AveryFreeman

AveryFreeman

consummate homelabber
Mar 17, 2017
413
54
28
42
Near Seattle
averyfreeman.com
It's been a while since I've thought about this, but it just occurred to me that to use LetsEncrypt, you have to expose your web UI to the internet so they can verify its validity.

I don't know of too many people who want to put their config UIs for things like servers, gateway/firewall, etc. on the internet...