Fortanix IPMI SSL Certificate Renewal For FX2200 Series II and FX3400

1.0 Introduction

This article describes the IPMI SSL certificate renewal process on the Fortanix FX2200 Series 2 and FX3400 appliances.

1.1 Intended Audience

This article is intended to be used by technical stakeholders of Fortanix FX2200 Series 2 and FX3400 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers.

2.0 Terminology References

• IPMI – Intelligent Platform Management Interface

• SSL – Secure Sockets Layer

• CSR – Certificate Signing Request

• PEM – Privacy Enhanced Mail

• CA - Certificate Authority

3.0 Prerequisites

Ensure that the IPMI for the FX2200 Series 2 and FX3400 appliances is configured to allow renewal of the IPMI SSL certificate.

For more information on the setup, refer to the following guides:

• Fortanix IPMI Setup for FX2200 Series II.

• Fortanix IPMI Setup for FX3400

4.0 IPMI SSL Certificate Renewal

Renewing the Fortanix IPMI SSL certificate for the FX2200 Series 2 and FX3400 appliances is essential for maintaining secure, uninterrupted, and compliant appliance operations.

Perform the following steps:

1. Run the following command to generate a CSR using the RSA private key:

   openssl req -new -newkey rsa:2048 -nodes -keyout private-key.pem -out cert.csr

   This command will prompt you to provide details for the CN field, which typically corresponds to the fully qualified domain name (FQDN) for the SSL certificate. After entering the required information, the CSR will be generated without a password.

2. After you have generated the CSR, submit it to a CA to obtain the signed SSL certificate.

   NOTE

   • The certificate and RSA private key must be in PEM format.

   • Before uploading through the IPMI user interface (UI), ensure the certificate chain is arranged in the following order: Uploading only the server certificate will result in loss of access to the IPMI UI.

     • <leaf>

     • <Intermediate CA certificate>

     • <Root CA Certificate>

   • Before uploading a certificate, ensure it is free from formatting issues, such as incorrect line endings (for example, DOS/Unix format mismatches) or invalid characters. Improper formatting can make the IPMI web UI inaccessible.

     Use the following command to check for invalid characters:

     cat -v <filename>

     If you encounter any issues, use dos2unix or similar tools to correct the formatting and clean the file. Always validate the certificate before uploading to prevent potential disruptions.

   • Before uploading the certificate and private key, ensure that a newline character is present immediately after the -----END CERTIFICATE----- line. This is a mandatory requirement for a successful upload. Validate this on the Ubuntu virtual machine (VM) or the Fortanix DSM node where the certificate and private key are generated.

3. Log in and navigate to the IPMI UI.

   

4. Select Settings → SSL Settings → Upload SSL certificate.

   

5. Upload the signed certificate and RSA private key.