Dell OpenManager Server Assistant is hardware health monitoring and configuration software that can be installed onto PowerEdge servers. It is very useful as it lets you see details of the hardware, along with any faults, plus can be used to configure various aspects of the hardware, e.g. the RAID controller. It also has an agent that can be queried by Dell OpenManage Essentials to provide centralised hardware alerts.
It runs via an HTTPS web server on port 1311, but by default (as with most things like this) uses a self-signed certificate. This leads to annoying certificate errors being generated by web browsers when you visit the site, e.g. Internet Explorer’s There is a problem with this website’s security certificate. where you have to click the Continue to this website (not recommended). link.
It’s quite easy to replace the certificate with one from your own in-house Certificate Authority. I’m using Active Directory Certificate Services. I have a root CA and an intermediate CA. The thing that caught me out was the way OMSA refers to the server certificate as the “root” certificate…
Procedure is as follows:
- Sign in to the OMSA site running on your server. Click Preferences, General Settings, X.509 Certificate.
- Pick Certificate Maintenance and click Next, then change the Select appropriate action drop down to Certificate Signing Request(CSR) and click Next.
- Copy all the text in the box to the clipboard. (Text starts with —–BEGIN NEW CERTIFICATE REQUEST—–)
- Go to your corporate CA, probably something like https://ca.rcmtech.co.uk/certsrv/ and click Request a certificate, then click advanced certificate request.
- Click the link Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Paste the CSR text you put on the clipboard in step 3 into the Saved Request textbox.
- Pick an appropriate certificate template – the Enhanced Key Usage should include Server Authentication (1.3.6.1.5.5.7.3.1).
- I like to add a Subject Alternative Name entry in the Additional Attributes box, this allows the certificate to be valid on just the server name, the fully qualified server name and the server IP address. The format is as follows:
san:dns=myserver&dns=myserver.rcmtech.co.uk&dns=192.168.1.123 - Click Next. You’ll get a pop up asking if you want the site to perform a certificate operation, click Yes.
- Now you’ll be on the Certificate Issued page. OMSA needs the certificates to be in Base 64 encoded format, so click that radio button. You also need both the certificate for the server itself plus the chain of certificates including your CA root and intermediate CA.
- Click the Download certificate link and save the .cer file.
- Now also click the Download certificate chain link, and save the .p7b file.
- Go back to OMSA, you might need to sign in again as the default timeout is quite short. Click the X.509 Certificate heading under Web Server to return to the X.509 Certificate Management page.
- Now click the Import a root certificate radio button and click Next. Browse to the .cer file (I know this does not contain your CA root certificate… do it anyway!). Click Update and Proceed.
- Now you’re presented with another Browse button, this time pick the .p7b file, click Import.
- You should be told Successfully imported. <certfile>.p7b. Click the Activate the new certificate. button.
- The you’ll be told Click the restart button to activate the new certificate. If the new certificate is not active after restart, click the help button for steps to restore the previous certificate. So click the Restart to Activate New Certificate button. OMSA web server will restart. Click OK to the pop-up, then close the browser tab or click the Quit browser button.
- Give it a few seconds then re-visit the OMSA site, and you should find there are now no certificate errors present.
