Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Importing CA signed certificates - HP SIM SSL

ConfusedDave
Occasional Visitor

Importing CA signed certificates - HP SIM SSL

We would like to import an existing private key/certificate pair into SIM, signed by an external CA. However, there does not seem to be any way to do this in the interface.

All the documentation expects you to have generated the private key on the server itself, and then be trying to import a matching certificate. In our case, because we have a wildcard certificate, we need to import the private key as well.

Does anyone know how we might do this?

After digging around a bit, it looks as if the server certificate and private key is stored in config/certstor, in the hp.keystore file. As far as I can tell the keyfile.3 file contains an encoded/encrypted password, which allows the HP SIM software to use the keystore.

I can create a keystore of my own containing our certificate, private key and CA intermediate certs, but I have no idea what to set the password to so that the SIM software can use it.

Does anybody have any idea how I can get this certificate imported in one way or another?

Thanks,
Dave
2 REPLIES
Rich Purvis
Honored Contributor

Re: Importing CA signed certificates - HP SIM SSL

Dave,
Did you look at this document here:

http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/hpsim_5_Security.pdf

It has a section called "How To: lockdown versus ease of use" then in that section is a subsection labeled "strong". Is this not the information you are looking for?

-Rich
Why does my tivo keep recording Nickelodeon?
ConfusedDave
Occasional Visitor

Re: Importing CA signed certificates - HP SIM SSL

Thanks Rich,

Unfortunately, that procedure still relies on us generating a CSR from the SIM interface, then taking that CSR to a CA and getting a certificate issued, which can then be imported in. Generating the CSR creates a private key, which must match with the public key on the imported certificate.

Our certificate already exists and so has it's own private key, which will not match the one generated when the CSR is requested. There is no option to import a private key in the interface, and it won't let us import a certificate which doesn't match the previously generated private key.

Anyway, we did manage to find a way of getting the certificate imported, by replacing the hp.keystore file with one we'd generated ourselves. We found that the password used to access the keystore was stored in the server.xml file of the SIM application install (Can't remember the exact location). We were therefore able to generate our own keystore file with that password, containing our wildcard certificate (labelled as "tomcat" so the application knew to use it as the server certificate), its associated private key, and the Root and intermediate certificates required for the certification path.

The local server seemed quite happy running with this wildcard certificate, and because it has a proper certification path, no browser warnings were generated.

Unfortunately the fact that it was a wildcard certificate caused problems when trying to use it as a Trusted Management Server Certificate on one of our other servers. It imported okay, but when you try to click through to the System Management Homepage for that server from the HP-SIM main interface, it doesn't like it. We think it's trying to contact the server specified in the certificate, which it can't do because it's a *.cranfield.ac.uk wildcard and not a specific server.

Dave