I’ve been meaning to replace the SSL/TLS certificates on my Supermicro servers IPMI (Intelligent Provisioning Management Interface) consoles. Now that I’ve upgraded the firmware on both units I think it’s about time I sorted the certificates as well. This is something I did at work some time ago and then handed over to our team junior to complete. Anyone I work with will tell you that I really do hate seeing certificate alerts!
Let’s get right to it – once logged on we can click the ‘Configuration’ button and then select the ‘SSL Certification’ option.
The system requires we provide the new certificate and the private key, it would be nice if Supermicro provided a built-in certificate creation and signing request interface. It’s not the end of the world that they don’t but it would simplify things.
I will generate a private 2048 bit RSA key and redirect the output from OpenSSL to a file named ‘node1impi.key’, I strongly recommend you do not create a key size less than 2048 bits.
C:\OpenSSL\bin>openssl.exe genrsa 2048 > node1ipmi.key
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x010001)
Now I have my private key it’s time to create my configuration file so I can then combine the two to generate my certificate signing request, also known as a CSR. For this example I’m just going to re-use an existing template I have, modifying the common name. I’ll save this text file as ‘node1ipmi.cfg’. Be sure to use SHA256 as a minimum for the hashing algorithm.
[ CA_default ]
default_md = sha256
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = NODE1IPMI
DNS.2 = NODE1IPMI.ad.bytesizedalex.com
[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = London
localityName = London
0.organizationName = ByteSizedAlex Corporation
organizationalUnitName = IT Services
commonName = NODE1IPMI.ad.bytesizedalex.com
emailAddress = IT.Helpdesk@bytesizedalex.com
We now feed OpenSSL the configuration and private key files and instruct it to output a new CSR.
C:\OpenSSL\bin>openssl.exe req -out node1ipmi.csr -key node1ipmi.key -new -config node1ipmi.cfg
The next step is to submit the CSR to your certificate authority (CA) – of course the instructions here depend entirely on your own CA setup so I’ll move on to importing the files to the IPMI console.
Once you have the required files you will need to ensure the certificate ends with a .cert or .pem extension and the private key file has a .pem extension.
Once confirmed the system will prompt for a reset of the IPMI interface.
Allow the system time to complete the reset process. If all is well your broswer should no longer dispaly an insecure/warning message and we can celebrate the joyous green. I am happy to see that Chrome reports Supermicro support modern ciphers on their IPMI interfaces, or at least on my version with the latest firmware.
A quick nmap scan seems to suggest the following cipher suites are supported, I haven’t been able to find any definitive documentation though so take this with a pinch of salt.
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024)
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024)
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
There are other ways of generating the required certificates and deploying to Supermicro systems but this works perfectly fine for me and my small lab setup. Hopefully it will prove useful to anyone in a similar situation.