Brocade Fibre Channel Networking Community

Expand all | Collapse all

CA certificate before importing switch certificate?

Jump to Best Answer
  • 1.  CA certificate before importing switch certificate?

    Posted 10-08-2019 12:13 PM

    Hello Community,

    I have been working with some FOS v7.4* and to provide access thru SSL, I had to install certificates at those brocades. Now I am trying to perform the same process with FOS 8.2.0a1, but I am facing an error message as: Please import CA certificate before importing switch certificate.

    Does anybody knows if this CA certificate is mandatory or if can I bypass this requirement?

    Also, is this CA certificate is mandatory, where can I found instructions about how to create one?

    Regards,

    Carlos Magno



  • 2.  RE: CA certificate before importing switch certificate?
    Best Answer

    Posted 10-15-2019 10:42 AM
    Nevermind, I found the CA certificate procedure, seems that is pre-req now with FOS 8.


  • 3.  RE: CA certificate before importing switch certificate?

    Posted 02-19-2020 08:52 AM
    Hi Carlos
    could you provide me with the CA Certificate procedure that you used, I have run into the same problem!
    Thank you
    Regards, Andreas


  • 4.  RE: CA certificate before importing switch certificate?

    Posted 03-10-2020 08:59 AM
    with a collaboration of Jacques Hendrik Roux... thank you very much.

    Changes:
    - need to import merged CA certificate before installing the switch certificate
    - CRT format provided by IBM Internal Certificate Authority are not accepted anymore

    Background information on changes since v8.1.0
    Background information on changes since v8.1.0

    The new procedure is documented in the FOS Admin Guide, starting from v8.2.0 (it was not part of the initial v8.1.0 Admin Guides)
    https://docs.broadcom.com/docs/53-1005237-05
    (See attached file: fos-820a-adminguide.pdf)

    Important chapters:
    - Creating a complete chain of CA certificates, p. 207
    - Installing a switch certificate, p. 216

    Brocade Community: HTTPS Webtool GUI Problem after upgraded to v8.1.*.
    https://community.brocade.com/t5/Fibre-Channel-SAN-Forums/HTTPS-Webtool-GUI-Problem-after-upgraded-to-v8-1/m-p/94998#M27116

    Merge the caintermediate and caroot to ca-merge.pem (add carootcert.pem at the end of caintermediatecert.pem and saved it as ca-merge.pem)
    Source: Download IBM Root and Intermediate certificates


    Requirements:
    - SCP server of IBM Network Advisor


    1) convert downloaded cert.crt to PEM format with OpenSSL:

    Instructions: https://w3-connections.ibm.com/wikis/home?lang=en-us#!/wiki/IBM%20Internal%20Certificate%20Authority/page/How%20to%20convert%20certificates%20using%20OpenSSL
    PS C:\openssl-1.0.2q-x64_86-win64> .\openssl.exe x509 -inform der -in .\certname.crt -out certname.pem

    2) install the ca-merge.pem on the switch:

    tsfcs01:FID128:bsiebert> seccertmgmt import -ca -server https -protocol scp -ipaddr xx.xx.xx.xx -remotedir /certs -certname ca-merge.pem -login admin

    admin@xx.xx.xx.xx password:
    Success: imported https certificate [ca-merge.pem].

    3) install switch PEM certificate on switch:

    server:FID128:> seccertmgmt import -cert https -protocol scp -ipaddr xx.xx.xx.xx -remotedir /certs -certname certname.pem -login admin

    admin@xx.xx.xx.xx password:
    Success: imported https certificate [certname.pem].
    Certificate file in configuration has been updated.
    Secure http has been enabled.


    4) check installed certificates:

    server:FID128:> seccertutil show

    ssl private key: Exists
    List of certificate files:
    cacert.pem
    servercert.pem   <--  both certificates have been renamed during import