Unsolved
1 Rookie
•
18 Posts
0
235
Can't migrate from v3 to v4 because of certificate chain
Hi there,
I can't initiate the migration process because there is a certificate chain issue when I want to start the process and self signed is grayed out:
My current certificate was signed by my Microsoft CA as mentioned in this documentation: https://www.dell.com/support/kbdoc/en-us/000184683/how-to-manage-custom-certificates-in-openmanage-enterprise
I've tried to regenerate one and upload the certificate chain but I get the following error:
So I'm confused about my possibilities. I have no problem to ditch the current certificate and reuse a self signed one temporarily but I didn't find how to regenerate one.
Can anybody help me? Thanks in advance.
Kind regards
Franck
franckehret
1 Rookie
1 Rookie
•
18 Posts
0
February 15th, 2024 13:40
PS: what I tried:
- upload p7b chain (from my CA) before the certificate (with new CSR)
- upload p7b chain after uploading the certificate (with new CSR)
- create a b64 chain with leaf certificate & root certificate (in that order)
- create a b64 chain with root certificate and leaf certificate (in that order)
None worked and gave the same error
DELL-Charles R
Moderator
Moderator
•
3.7K Posts
0
February 15th, 2024 19:44
Hello,
Did you get to view the video from the page you linked
OpenManage Enterprise Custom Certificates
https://dell.to/4bHjFxC
This video guide to migrate may help for the process:
How to Migrate OpenManage Enterprise From 3.10.x to 4.0
https://dell.to/3I1yJZt
If you please let me know what time mark you start having the issue it may help identify the issue.
Take a look at Article Number: 000219280 OpenManage Enterprise 3.10.x to 4.0 Migration
Link below. It mentions the (CGEN1008) error you see:
https://dell.to/4bBgFmz
The installed certificate must be signed by the same Certificate Authority on both the source and destination consoles. The uploaded certificate must have both client and server authentication, and key encipherment enabled for Public Key Usage (Key Usage Extensions). Otherwise, it is considered a nonvalid certificate chain and an upload error is thrown (CGEN1008).
Generate and download a certificate signing request
Page 63
https://dell.to/3OJYIbv
If you contact Support directly and ask for the Systems Management team an engineer could do a remote session with you to get a look .
franckehret
1 Rookie
1 Rookie
•
18 Posts
0
February 23rd, 2024 09:57
I did exactly what is mentionned in this video step by step
As soon as I click "migrate out", I can't select the "Proceed with self signed certificate", it's greyed out, despite I did regenerate a new certificate from scratch from my Microsoft ADCS.
As stated in my first post, uploading the certificate chain doesn't work either so I just can't even start the migration process as source doesn't allow me to get past the very first step.
Any clue how to reset the certificate to real self signed?
DELL-Marco B
Moderator
Moderator
•
3.5K Posts
0
February 23rd, 2024 13:13
Hello,
if those steps doesn't work as suggested by Charles i invite you to contact directly the support and check with them how to fix the issue.
Thanks
Gusztav
1 Rookie
1 Rookie
•
1 Message
1
March 1st, 2024 14:27
@franckehret Hi!
You just have to add the intermediate and root details to your own server certificate file manually.
Full chain certificate looks like this:
-----BEGIN CERTIFICATE-----
(certificate details)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate details)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root details)
-----END CERTIFICATE-----
I've just tried, and works.
Good luck!
JarodCs
1 Rookie
1 Rookie
•
8 Posts
0
April 4th, 2024 13:40
We faced the same issues and called in to Dell support. I was told the only way to get a self-signed certificate back is to backup the appliance and re-deploy from the OVF. Once a signed cert was installed there was no going back to self signed. Hope that helps
Greg Karas
1 Rookie
1 Rookie
•
4 Posts
0
August 7th, 2024 11:30
@Gusztav
Thanks for the hint, I was trying to upload a .pem file created with command
openssl pkcs7 -inform der -print_certs -in mycert.p7b -outform pem -out mycert.pem
which adds headers and puts the chain in wrong order.
Also, it took a reboot of the appliance before I could finally complete the migration process.