Fortanix IPMI SSL Certificate Renewal For FX2200 Series II

1.0 Introduction

This article describes the IPMI SSL certificate renewal process on the Fortanix FX2200 Series 2 appliance.

1.1 Intended Audience

This article is intended to be used by technical stakeholders of Fortanix FX2200 Series 2 who will be responsible for planning, performing, or maintaining the setup or deployment, such as the Systems Administrator, Chief Information Officer (CIO), Analysts, or Developers.

2.0 Terminology References

• IPMI – Intelligent Platform Management Interface

• SSL – Secure Sockets Layer

• CSR – Certificate Signing Request

• PEM – Privacy Enhanced Mail

• CA - Certificate Authority

3.0 Prerequisites

Ensure the IPMI for the FX2200 Series 2 appliance is set up to renew the IPMI SSL certificate for the FX2200 Series 2 appliance.

For more details on the setup, refer to Fortanix IPMI Setup for FX2200 Series II.

4.0 IPMI SSL Certificate Renewal

Renewing the Fortanix IPMI SSL certificate for the FX2200 Series 2 is essential for maintaining a secure, uninterrupted, and compliant appliance.

Perform the following steps:

1. Run the following command to generate a CSR using the RSA private key:

   openssl req -new -newkey rsa:2048 -nodes -keyout private-key.pem -out cert.csr

   This command will prompt you to provide details for the CN field, which typically corresponds to the fully qualified domain name (FQDN) for the SSL certificate. After entering the required information, the CSR will be generated without a password.

2. After you have generated the CSR, submit it to a CA to obtain the signed SSL certificate.

   NOTE

   • The certificate and RSA private key must be in PEM format.

   • Before uploading through the IPMI user interface (UI), ensure the certificate chain is arranged in the following order: Uploading only the server certificate will result in loss of access to the IPMI UI.

     • <leaf>

     • <Intermediate CA certificate>

     • <Root CA Certificate>

   • Before uploading a certificate, ensure it is free from formatting issues, such as incorrect line endings (for example, DOS/Unix format mismatches) or invalid characters. Improper formatting can make the IPMI web UI inaccessible.

     Use the following command to check for invalid characters:

     cat -v <filename>

     If you encounter any issues, use dos2unix or similar tools to correct the formatting and clean the file. Always validate the certificate before uploading to prevent potential disruptions.

3. Log in and navigate to the IPMI UI.

4. Select Settings → SSL Settings → Upload SSL certificate.

5. Upload the signed certificate and RSA private key.

6. Click Save.