HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
Showing results for 
Search instead for 
Did you mean: 

SMH self-signed certificate

Rob C.
Occasional Contributor

SMH self-signed certificate

Recent scans indicated certificate errors (hostname mismatch) for SMH. The built-in CSR mechanism (Settings-->SMH-->Security-->Local Server Certificate) is not very flexible and I had a hard time getting the FQDN in the request. Additionally, HP documentation indicates that if HP SIM is installed after HP SMH is installed, the HP SMH 2048-bit key pair is replaced with the HP SIM 1024-bit key pair, so a CSR on my machine would be using a 1024 bit key.

It is difficult to find documentation about the local server certificate online, but I have found that on Windows, the SMH certificate is located at c:\hp\sslshare\cert.pem and the private key is located at c:\hp\sslshare\file.pem.

I decided to try replacing these files to get the certificate I wanted. I installed OpenSSL on a workstation and ran the following command:

openssl req -new -newkey rsa:2048 -nodes -subj /CN=/O=/OU=/C=/ST=/L= -keyout mykey.pem -out myreq.pem

I renamed the resulting mykey.pem to file.pem and replaced the existing file on the server. I used myreq.pem to generate a certificate on our local CA. I renamed the resulting certificate file cert.pem and replaced the existing file on the server. After restarting the HP Systems Management Homepage service on the server, SMH starting using the new certificate.

I am pretty new to managing certificates, so I am wondering - does this all seem right. Though I haven't noticed any degredation, did I break something else by replacing these files? Am I as secure as I was with the auto-genterated, self-signed certificate?
Trusted Contributor

Re: SMH self-signed certificate

Though the given scenario seems to be unsupported by the software, but I think, you can verify the changes by trying to open all available webapps, in your setup.

And, also you are as secured as with the original configuration.

Rob C.
Occasional Contributor

Re: SMH self-signed certificate

This procedure may have broken the vcrepository. See: http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1453419