How to Replace the Self-Signed Certificate in OnCommand Unified Manager 6.X

Browser Certificate errors always bug me, so, let’s have some fun with SSL certificates...

Log into the OnCommand Unified Manager WebUI.

Image: Logging into OnCommand Unified Manager

Go to: Administration -> Setup Options

Image: OCUM -> Administration -> Setup Options

Select: Management Server -> HTTPS

Click on ‘View HTTPS Certificate’ to verify the current configuration of Alternative Names is correct (will need to Regenerate if not).

Click on ‘Download HTTPS Certificate Signing Request’

Image: Downloading the CSR

Image: HTTPS Certificate details

Copy the downloaded CSR (called MSOCM1.CSR in this lab) to a Certification Authority (CA) server (here we have access to a Windows Server 2008 R2 Domain Controller with ‘Active Directory Certificate Services’ and the ‘Certification Authority’ role installed - there is also Web Enrollment).

Note: A standard CA needs a slight modification to enable Subject Alternative Name (SAN) certs, as detailed previously in this blog post. From the DOS Command Prompt>

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop "Active Directory Certificate Services"

net start "Active Directory Certificate Services"

Run the following command from the DOS Command Prompt to generate a CER (Certificate file) from the CSR>

certreq -attrib "CertificateTemplate:WebServer" MSOCM1.csr MSOCM1.cer

Image: Generating the CER

Image: MSOCM1.CER generated!

Now, this is where it gets a bit fiddly!

- Double-click MSOCM1.CER file

- Go to the ‘Certification Path’ tab

- Click on the root certificate (lab-MSDMC1-CA here)

- Click on ‘View Certificate’

Image: Viewing the root certificate

Then - viewing the root certificate:

- Click on the Details tab

- Select “Copy to File...”

Image: Details of root certificate

Click Next > to the ‘Welcome to the Certificate Export Wizard’

Select ‘Base-64 encoded X.509 (.CER)’ for Export File Format and click Next >

Image: Export to Base-64

And save the file as say ROOT_BASE64.CER

Then in a text editor like Notepad++, open up the MSOCM1.CER file, open up the ROOT_BASE64.CER file, and copy the content from the ROOT_BASE64.CER file and paste it at the bottom of the MSOCM1.CER file, and then save that file as MSOCM1.PEM. The PEM file will look something like the below:

-----BEGIN CERTIFICATE-----

MIIFIjCCBAqgAwIBAgIKYWMvegAAAAAABTANBgkqhkiG9w0BAQUFADBDMRQwEgYK

CZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQGA1UEAxMN

bGFiLU1TRE1DMS1DQTAeFw0xNjA0MTEyMDMyMzJaFw0xODA0MTEyMDMyMzJaMBox

GDAWBgNVBAMTD01TT0NNMS5sYWIucHJpdjCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBAIVmYTph8enAspgSK7p8a/uU6EOISWi+lmtZNzE2ATm2BRnDo5Pz

OLMVUyS2jdWEnFNtRb8VO1qr4t7a7x8Hl6lQC+pjsWAa4isOd21UYQ8KFbLdJoah

16EOfbVe7M55nJJ0Cpwoa+ffN3hwO0Hf+tm0u9Rqjos8mFRK6PCF5GyPTxdvcsTz

uLHmQsJIF/Y6un99ufloa86ZaZxEyzqsGUFcte3ixKg7Tlng3XC4NQ/7wqOzLCjC

94xRlGCiTftBYJDXR5kEdbO9v1HQNCxcQt5I12Mb/Qc9FJUyN5GJ54bDIZUHS4n4

FHUnfDZROsnWpICDfgAztH4g/jAD53V7giMCAwEAAaOCAj8wggI7MCgGA1UdEQQh

MB+CD01TT0NNMS5sYWIucHJpdoIGTVNPQ00xhwQKAAEeMB0GA1UdDgQWBBSwvNSi

h3JbqTJ5OZFLDRKWTSzitjAfBgNVHSMEGDAWgBSSrGHOJYb0iQYDf7YglXEnbV7I

mjCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwbGRhcDovLy9DTj1sYWItTVNETUMx

LUNBLENOPU1TRE1DMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs

Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9cHJpdj9jZXJ0

aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp

YnV0aW9uUG9pbnQwgbwGCCsGAQUFBwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxk

YXA6Ly8vQ049bGFiLU1TRE1DMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw

U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9

cHJpdj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv

bkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4G

A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF

AAOCAQEAhIowY49VA7OOi2NmBZSlUrWEVPZcoe3A069Pb36up/fLXVigPMNsbFSI

MEDPPp2p39jsowUdgTb1/7OHpInfGSsMVv4lvl6+0z8zrj3zk4+D5HYqFmMDhNld

SZqhVJRCRl8KLvNBregtrYp772S+S8pUJZ4rr+94+R2DSfikXYElvqVznI6FQfZi

4THWbIsRHYlevjFGdg2N1h187b4hAhDo1xYrz9u6o6wPVaL6yYOlKq5Wi04RoDyG

s9P0dDQ7wJDAeXBEX4kJJUMno5D2UOaDkMwUH5c8l/butWpEqCaBwt2WTl3T43TN

TmgMit95c0alY7SohpQMf0H6j09sxg==

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDYTCCAkmgAwIBAgIQHM707tCBcb5NgxrSftUtYTANBgkqhkiG9w0BAQUFADBD

MRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQG

A1UEAxMNbGFiLU1TRE1DMS1DQTAeFw0xNjA0MTExODM4NTRaFw0yMTA0MTExODQ4

NTRaMEMxFDASBgoJkiaJk/IsZAEZFgRwcml2MRMwEQYKCZImiZPyLGQBGRYDbGFi

MRYwFAYDVQQDEw1sYWItTVNETUMxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A

MIIBCgKCAQEArayqSnX6i/1eZhCExDgo3X10iAISKm7IOt4r3QzYo63eXu5we9fH

1bih3huqjU9E4A3l1s9bnlLr8FjMGXGkUubnlqOb0nELWyLGRVA8bq0pdKhGIDbZ

tbGHKypIcKZzP3brxMLXLc9MiLf000KNaH9PExKbRNU6Tfxs173CnXRoDYwa7Kc7

1ExpfUl4k6gWFpPSXqoXcyPhUBzEDy/IS7Ql0N5N/RPVLAr7MrNSxeZJ+nKjv9Cv

7eNngilQA9PoJHTDyTIUoJodkLouPVRaCOCy0O9tzGgsI9LhpXLp//M7mzvEKpwt

gEBOQj6aBCwBxJwM4iCLfuKoHeoi9Y2t1wIDAQABo1EwTzALBgNVHQ8EBAMCAYYw

DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkqxhziWG9IkGA3+2IJVxJ21eyJow

EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEyFZZrKXnO/8Bj2

3bs7Iwll+4uE2TQDMYaO5VaQDQcSFiRQH6mr/7fNuTUEgGOz4anR2tnIcqpjmINJ

qlDSxQGssKfgxldIzQ3arXELSUM2BVhpC0fCbMxWPt3RSRaBucbG/RkC1i7XBJTW

dXzZs1TlqcolXiZJAgCKAn1wXAFtM6ViEnRYkYBRGOOSZ9cPa+Bb7XCx5LBPbXS/

nQqKVRyWqT7txkJCK/i/uhvYYKdt4bvRzxUVnZaXxFf1XIyVSrQO4FWMODsl5eOw

1sGFPPZ6H09icf5oV3xzEaXDKfHJtzaMxRf2ZAAK1+Jq9ClQBBWlJZUJhlhiZZTS

XN4HyA8=

-----END CERTIFICATE-----

Return to the OnCommand Unified Manager WebUI -> Administration -> Setup Options -> Management Server -> HTTPS and click the ‘Install HTTPS Certificate’ button, and install the MSOCM1.PEM file just created.

Image: Installing HTTPS Certificate to OCUM

Finally, reboot the OCUM server (or restart the service), and test the certificate works!

Image: SSL Certificate works!

THE END