The default (self-signed) UCSM keyring certificate must be manually regenerated if the cluster name changes or the certificate expires (it is valid for one year).
Affected object: sys/pki-ext/keyring-default Description: default Keyring's certificate is invalid, reason: expired Cause: invalid-keyring-certificate Code: F0910
Here is what needs to be done:
- Make sure Fabric Interconnects have correct time settings, preferably configured to synchronise time with a NTP server(s). UCSM – Admin – All – Timezone Management;
- SSH to UCS Manager cluster IP address and login as an administrator user;
- Issue the following commands:
VFC01-A# scope security VFC01-A /security # scope keyring default VFC01-A /security/keyring # set regenerate yes VFC01-A /security/keyring* # commit-buffer
- N.B. After you issue ‘
commit-buffer
‘ command, all GUI sessions will be disconnected; - After a couple of minutes, validate new certificate:
VFC01-A /security/keyring # scope security VFC01-A /security # show keyring detail Keyring default: RSA key modulus: Mod1024 Trustpoint CA: Cert Status: Valid
- Open web browser, connect to UCSM cluster IP address and accept the certificate warning. BTW, It might be a good idea to look into getting a CA-signed certificate…
Mozilla Firefox users: Should you have any problems with new certificate, go to Tools – Options – Advanced – Encryption – View Certificates and delete old/expired UCSM certificates.
EMC UIM/P users: New certificate needs to be exported from UCSM and imported into UIM/P.
Thanks for posting this. It was a big help when this fault appeared after our upgrade to v2.1(1a). Side note, our GUI sessions did not disconnect.
Thank you Chris.
Apologies for the delay in getting back to you.
Thank you for this post it saved my time.
Thank You this was helpfull !
Thanks.
Hello Mark.
Thanks for your article. Could you explain how to use a ca-singed certificat as mentioned in bullet point #6, please? We like to use a ca-signed certificate to get rid of the browser warnings.
Best Regards
Joerg
I would be interested in how to use a ca-singed certificat as mentioned in bullet point #6 as well or is there a method to set the expiration date for the keyring? As it is, it appears that in regenerating the key, it expires in a year.
Excellent. It solved my issue!!
Thanks very much you saved a lot of time and head aches. God Bless you.
Ever have this not work for you? Ran through the commands and it seemed to take just fine, but ‘show keyring detail’ still shows ‘Cert Status: Expired’. I see the Validity dates have been updated (in show keyring detail output), so not sure why it’s still expired.
Never mind… It showed Cert Status: Expired until I actually fired up UCSM and logged in. Now ‘show keyring detail’ shows Valid. Thanks for the article!
Really helpful post. Thanks Mark!
How can I get rid of all the browser warnings when navigating to UCS Manager? And Central?
You need to replace the self-signed UCS Manager and Central certificates with certificates from a trusted Certification Authority.
Would I face any downtime doing this certificate regeneration? I am currently running firmware 2.2(2c).
There is no downtime but you may get disconnected from the UCS Manager application.
Thanks for this article!
No downtime occurs folks.
I entered the commands in this guide, was disconnected from UCS Manager. Still showed up as expired until I logged into the Manager again.
Error is now gone.
All worked, disconnected from GUI but logged in and error gone. No downtime, phew !
Steps were helpful to get the Fault in the UCS manager taken care of, Thanks.
One thing i noticed was that on doing a “show keyring detail” Cert Status shows Self Signed Certificate, but the validity is for another year, i imagine that is OK?
The commands worked, but when I do “show keyring detail”, it displays the cluster IP and IP(b), IP(a) is missing. What can I do to get that IP address to update and show in the keyring details?
Appreciate your effort to share this information.. is it possible to configure a notification option before the certificate get expires? Or is it possible to monitor from a monitoring tool? Will UCS have any alert notifying before the expiry..?
Thanks and Regards,..
Bijou,
You can do the following in powershell using UCS PowerTool Library after you connect to the UCS
Get-UcsKeyRing -Name ‘default’ | Set-UcsKeyRing -Regen ‘yes’ -Force
You will have to disconnect/reconnect to the UCS since the key has now changed. It will also disconnect anyone currently connected.
If you setup SNMP monitoring of the UCS, you will see “sys/pki-ext/keyring-default/fault-F0909” reported when the keyring has expired.
I hope this helps.
I did what you said and it worked but it was given me self-signed under the CA status.
after that, I notice another alarm “sys/svc-ext”
Any help?
Thanks..saved a lot.
How to regenerate certificate for UCS B series which supports SHA2 as Microsoft is retiring the support for SHA1 by end of this year.
Worked perfectly for me…no issues encountered.
1) Is there any major impact on live environment if we ignore this?
2) What will be the after effects when we running these commands in production? Will it reboot the FI?
3) what will be the expiration period of default certificate?
It totally works! Thank you!
I’ve used it on UCS 3.1.2 and works as a charm!
excellent, worked fine for me
[…] vStrong.info – HOW TO: Regenerate expired UCS Manager certificate […]