HOW TO: Regenerate expired UCS Manager certificate

The default (self-signed) UCSM keyring certificate must be manually regenerated if the cluster name changes or the certificate expires (it is valid for one year).

Affected object: sys/pki-ext/keyring-default
Description: default Keyring's certificate is invalid, reason: expired
Cause: invalid-keyring-certificate
Code: F0910

Here is what needs to be done:

  1. Make sure Fabric Interconnects have correct time settings, preferably configured to synchronise time with a NTP server(s). UCSM – Admin – All – Timezone Management;
  2. SSH to UCS Manager cluster IP address and login as an administrator user;
  3. Issue the following commands:
    VFC01-A# scope security
    VFC01-A /security # scope keyring default
    VFC01-A /security/keyring # set regenerate yes
    VFC01-A /security/keyring* # commit-buffer
  4. N.B. After you issue ‘commit-buffer‘ command, all GUI sessions will be disconnected;
  5. After a couple of minutes, validate new certificate:
    VFC01-A /security/keyring # scope security
    VFC01-A /security # show keyring detail
    Keyring default:
    RSA key modulus: Mod1024
    Trustpoint CA:
    Cert Status: Valid
  6. Open web browser, connect to UCSM cluster IP address and accept the certificate warning. BTW, It might be a good idea to look into getting a CA-signed certificate

Mozilla Firefox users: Should you have any problems with new certificate, go to Tools – Options – Advanced – Encryption – View Certificates and delete old/expired UCSM certificates.

EMC UIM/P users: New certificate needs to be exported from UCSM and imported into UIM/P.

30 comments to HOW TO: Regenerate expired UCS Manager certificate

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.