Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

SMH self-signed certificate

Rob C.
Occasional Contributor

SMH self-signed certificate

Recent scans indicated certificate errors (hostname mismatch) for SMH. The built-in CSR mechanism (Settings-->SMH-->Security-->Local Server Certificate) is not very flexible and I had a hard time getting the FQDN in the request. Additionally, HP documentation indicates that if HP SIM is installed after HP SMH is installed, the HP SMH 2048-bit key pair is replaced with the HP SIM 1024-bit key pair, so a CSR on my machine would be using a 1024 bit key.

It is difficult to find documentation about the local server certificate online, but I have found that on Windows, the SMH certificate is located at c:\hp\sslshare\cert.pem and the private key is located at c:\hp\sslshare\file.pem.

I decided to try replacing these files to get the certificate I wanted. I installed OpenSSL on a workstation and ran the following command:

openssl req -new -newkey rsa:2048 -nodes -subj /CN=/O=/OU=/C=/ST=/L= -keyout mykey.pem -out myreq.pem

I renamed the resulting mykey.pem to file.pem and replaced the existing file on the server. I used myreq.pem to generate a certificate on our local CA. I renamed the resulting certificate file cert.pem and replaced the existing file on the server. After restarting the HP Systems Management Homepage service on the server, SMH starting using the new certificate.

I am pretty new to managing certificates, so I am wondering - does this all seem right. Though I haven't noticed any degredation, did I break something else by replacing these files? Am I as secure as I was with the auto-genterated, self-signed certificate?
2 REPLIES
pkrai
Trusted Contributor

Re: SMH self-signed certificate

Though the given scenario seems to be unsupported by the software, but I think, you can verify the changes by trying to open all available webapps, in your setup.

And, also you are as secured as with the original configuration.

Thanks.
Rob C.
Occasional Contributor

Re: SMH self-signed certificate

This procedure may have broken the vcrepository. See: http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1453419