Supermicro IPMI SSL TLS Certificate Replacement

I’ve been meaning to replace the SSL/TLS certificates on my Supermicro servers IPMI (Intelligent Provisioning Management Interface) consoles. Now that I’ve upgraded the firmware on both units I think it’s about time I sorted the certificates as well. This is something I did at work some time ago and then handed over to our team junior to complete. Anyone I work with will tell you that I really do hate seeing certificate alerts!


Let’s get right to it – once logged on we can click the ‘Configuration’ button and then select the ‘SSL Certification’ option.

Configuration SSL Certification Menu

The system requires we provide the new certificate and the private key, it would be nice if Supermicro provided a built-in certificate creation and signing request interface. It’s not the end of the world that they don’t but it would simplify things.

 

I will generate a private 2048 bit RSA key and redirect the output from OpenSSL to a file named ‘node1impi.key’, I strongly recommend you do not create a key size less than 2048 bits.

 

Now I have my private key it’s time to create my configuration file so I can then combine the two to generate my certificate signing request, also known as a CSR. For this example I’m just going to re-use an existing template I have, modifying the common name. I’ll save this text file as ‘node1ipmi.cfg’. Be sure to use SHA256 as a minimum for the hashing algorithm.

 

We now feed OpenSSL the configuration and private key files and instruct it to output a new CSR.

 

The next step is to submit the CSR to your certificate authority (CA) – of course the instructions here depend entirely on your own CA setup so I’ll move on to importing the files to the IPMI console.

Once you have the required files you will need to ensure the certificate ends with a .cert or .pem extension and the private key file has a .pem extension.

Upload Certificate and Private Key

Certificate Replacement Warning

Once confirmed the system will prompt for a reset of the IPMI interface.

Certificate Uploaded Reset Required

 

Allow the system time to complete the reset process. If all is well your broswer should no longer dispaly an insecure/warning message and we can celebrate the joyous green. I am happy to see that Chrome reports Supermicro support modern ciphers on their IPMI interfaces, or at least on my version with the latest firmware.

Secure Website Confirmation

A quick nmap scan seems to suggest the following cipher suites are supported, I haven’t been able to find any definitive documentation though so take this with a pinch of salt.

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024)
  • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
  • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024)
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
  • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

 


 

There are other ways of generating the required certificates and deploying to Supermicro systems but this works perfectly fine for me and my small lab setup. Hopefully it will prove useful to anyone in a similar situation.

7 thoughts on “Supermicro IPMI SSL TLS Certificate Replacement”

  1. Sorry for kinda necro-posting; I’m facing the problem here that the device allows uploading, displays the correct SSL certificate expiration date…
    Sadly, after the reboot it comes back with some self signed certificate…

    • Have you tried flushing your browser cache/using an alternate browser just to rule that out? Also you could do a reset on the IPMI controller first then complete the change to see if that assists. I assume you’re running the latest firmware version as potentially it could be a bug too.

  2. Great post. I am having an issue getting the entire certificate chain installed. When I browse to the management IP I see Cert error chain not complete and does not display the Intermediate cert, even though the file used for the installation includes the server cert and intermediate cert. Any thoughts?.

    • Hi Andres,

      First off thanks for the kind words, always nice to get positive feedback! When you open the certificate file on your computer does it show the complete chain correctly on the ‘Certification Path’ tab? If you could let me know what shows there and give me a bit more info on what you’ve done so far that would be great. I’m sure we can get to the bottom of the problem.

      Alex

  3. I installed my own ones. no issue reported during install. Alas, the web server stopped working.
    tried:
    – upgrade to latest firmware (3.72)
    – reset via ipmicfg -fd
    but the web server seems not to be working anymore.
    but BMC is reachable and pretty manageable via IPMIVIEW.

    Any suggestion ?

    Ivan

    • Hi Ivan,

      Sorry to hear you are having problems. I wonder, have you tried doing a BMC reset with IPMITool? An example is below, this is from memory and you might want to perform with the system in maintenance –

      ipmitool mc reset cold -H ipAddressHere -U username -P password

      I have had some luck in the past with a complete power off, removing all power leads and letting the capacitors drain out. I don’t recall having the same problem as you describe but that might help if the above reset doesn’t. Let me know how you get on, hopefully we can come to a resolution.

      Regards,

      Alex

  4. Hi Alex,

    I did not try ipmitool, gonna try out shortly; I guess IPMICFG should do the same but seems not to work. will try ipmitool.

    I tried to remove powercord and detach RTC battery for a couple of minutes but it seem to retain conf somewhere in flash.

    Gonna perform some more testing and get back to you.

    thank you for the suggestions.

    Ivan

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.