Supermicro IPMI SSL TLS Certificate Replacement

I’ve been meaning to replace the SSL/TLS certificates on my Supermicro servers IPMI (Intelligent Provisioning Management Interface) consoles. Now that I’ve upgraded the firmware on both units I think it’s about time I sorted the certificates as well. This is something I did at work some time ago and then handed over to our team junior to complete. Anyone I work with will tell you that I really do hate seeing certificate alerts!


Let’s get right to it – once logged on we can click the ‘Configuration’ button and then select the ‘SSL Certification’ option.

Configuration SSL Certification Menu

The system requires we provide the new certificate and the private key, it would be nice if Supermicro provided a built-in certificate creation and signing request interface. It’s not the end of the world that they don’t but it would simplify things.

 

I will generate a private 2048 bit RSA key and redirect the output from OpenSSL to a file named ‘node1impi.key’, I strongly recommend you do not create a key size less than 2048 bits.

 

Now I have my private key it’s time to create my configuration file so I can then combine the two to generate my certificate signing request, also known as a CSR. For this example I’m just going to re-use an existing template I have, modifying the common name. I’ll save this text file as ‘node1ipmi.cfg’. Be sure to use SHA256 as a minimum for the hashing algorithm.

 

We now feed OpenSSL the configuration and private key files and instruct it to output a new CSR.

 

The next step is to submit the CSR to your certificate authority (CA) – of course the instructions here depend entirely on your own CA setup so I’ll move on to importing the files to the IPMI console.

Once you have the required files you will need to ensure the certificate ends with a .cert or .pem extension and the private key file has a .pem extension.

Upload Certificate and Private Key

Certificate Replacement Warning

Once confirmed the system will prompt for a reset of the IPMI interface.

Certificate Uploaded Reset Required

 

Allow the system time to complete the reset process. If all is well your broswer should no longer dispaly an insecure/warning message and we can celebrate the joyous green. I am happy to see that Chrome reports Supermicro support modern ciphers on their IPMI interfaces, or at least on my version with the latest firmware.

Secure Website Confirmation

A quick nmap scan seems to suggest the following cipher suites are supported, I haven’t been able to find any definitive documentation though so take this with a pinch of salt.

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024)
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

 


 

There are other ways of generating the required certificates and deploying to Supermicro systems but this works perfectly fine for me and my small lab setup. Hopefully it will prove useful to anyone in a similar situation.

Leave a Reply