跳转至主要内容
  • 快速、轻松地下订单
  • 查看订单并跟踪您的发货状态
  • 创建并访问您的产品列表

Troubleshooting Certificate Chain Issues Required for OpenManage Enterprise Migration

摘要: OpenManage Enterprise administrators may run across several errors during the certificate chain upload (CGEN1008 and CSEC9002) and connection verification stage. The following is a guide to help OpenManage Enterprise administrators in the event they run across errors during this stage of the migration process. ...

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。

说明

The appliance migration process leverages mutual TLS (mTLS). This type of mutual authentication is used within a Zero Trust security framework where nothing is trusted by default.
 
In a typical TLS exchange, the server holds the TLS certificate and public and private key pair. The client verifies the server certificate and then proceed with exchanging information over an encrypted session. With mTLS, both the client and server verify the certificate before they begin to exchange any data.
mTLS client and server communication diagram 
Any OpenManage Enterprise appliance that leverages a third-party signed certificate is required to upload the certificate chain before proceeding with a migration operation. A certificate chain is an ordered list of certificates containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates. The chain begins with the stand-alone certificate, and followed by certificates signed by the entity identified in the next certificate in the chain.
  • Certificate = CA signed certificate (stand-alone)
  • Certificate Chain = CA signed certificate + intermediate CA certificate (if any) + root CA certificate
The certificate chain must meet the following requirements else the administrator is presented with errors.
 

Certificate Chain Requirements for Migration 

  1. Certificate Signing Request key matches - During the certificate upload the Certificate Signing Request (CSR) key is checked. OpenManage Enterprise only supports uploading certificates that are requested using the Certificate Signed Request (CSR) by that appliance. This validation check is performed during an upload for both a single server-certificate and a certificate chain.
  2. Certificate encoding - The certificate file requires Base 64 encoding. Ensure that when saving the exported certificate from the certificate authority Base 64 encoding is used otherwise the certificate file is considered invalid.
  3. Validate certificate enhanced key usage - Check to ensure that key usage is enabled for both Server Authentication and Client Authentication. This is because the migration is two-way communication between both the source and target where either can act as a server and a client during the information exchange. For single server-certificates, only the server authentication is required.
  4. Certificate is enabled for key encipherment - Certificate template used to generate the certificate must include key encipherment. This ensures that the keys in the certificate can be used to encrypt communication.
  5. Certificate Chain with root certificate - Certificate contains the full chain that includes the root certificate. This is required for the source and the target to ensure both can be trusted. The root certificate is added to each appliance's trusted root store. IMPORTANT: OpenManage Enterprise supports a maximum of 10 leaf certificates within the certificate chain.
  6. Issued to and issued by - The root certificate is used as the trust anchor, and then used to validate all certificates in the chain against that trust anchor. Ensure that the certificate chain includes the root certificate.
Example certificate chain
Issued To Issued By
OMENT (appliance) Inter-CA1
Inter-CA1 Root-CA
Root-CA Root-CA


Certificate Chain Upload Operation

Once the full certificate chain has been acquired, the OpenManage Enterprise administrator must then upload the chain through the web UI - 'Application Settings -> Security - Certificates.'
 
If the certificate does not meet the requirements, one of the following errors is shown in the web UI:
  • CGEN1008 - Unable to process the request because an error occurred
  • CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.
The following sections highlight the errors, conditional triggers, and how to remediate.

CGEN1008 - Unable to process the request because an error occurred.

CGEN1008 - Unable to process the request because an error occurred.
Retry the operation. If the issue persists, contact your system administrator.
Certificate upload error CGEN1008 Unable to process the request because an error occurred 
The CGEN1008 error is displayed if any of the following error conditions are met:
  • Invalid CSR key for the certificate chain
    • Ensure that the certificate was generated using the CSR from the OpenManage Enterprise web UI. OpenManage Enterprise does not support uploading a certificate that was not generated using the CSR from the same appliance.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-25 11:10:34.735 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-10] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["Invalid CSR key."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}
  • Invalid certificate chain
    • The root and all intermediate certificate authorities' certificates must be included within the certificate.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-25 11:04:56.396 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["Invalid certificate chain provided."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}
  • No Common Name found in the leaf certificate - All certificates must include the common names and not contain any wildcards (*).
NOTE: OpenManage Enterprise does not support wildcard (*) certificates. Generating a CSR from the web UI using a wildcard (*) in the distinguished name generates the following error:
CGEN6002 - Unable to complete the request because the input value for DistinguishedName is missing or an invalid value is entered.
Certificate upload error CGEN6002 Unable to complete the request because the input value for DistinguishedName is missing or an invalid value is entered 
  • No Client and Server Authentication Extended Key Usage (EKU) is present in leaf certificate
    • The certificate must include both Server and Client authentication for extended key usage.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-25 10:56:54.175 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-17] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["No Client/Server authentication EKU present in leaf certificate."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}
  • Review the certificate details for enhanced key usage. If either are missing, ensure that the template used to generate the certificate is enabled for both.
Certificate details showing enhanced key usage for both server and client authentication 
  • Missing key encipherment for key usage
    • The certificate being uploaded must have the key encipherment listed for key usage.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-25 11:01:01.475 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError","message":"A general error has occurred.
 See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["User Certificate is not a web server certificate."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}
  • Review the certificate details for key usage. Ensure the template used to generate the certificate has key encipherment enabled.
Certificate details showing key usage for key encipherment 
 

CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.

CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.
Make sure the CA certificate and private key are correct and retry the operation.
Certificate upload error CSEC9002 Unable to upload the certificate because the certificate file provided is invalid.
 
The CSEC9002 error is displayed if any of the following error conditions are met: 
  • Server-certificate missing key encipherment
    • Ensure the template used to generate the certificate has key encipherment enabled. When leveraging a certificate for migration, ensure that the full certificate chain is uploaded rather than the single server-certificate.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-29 08:03:05.200 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC9002","RelatedProperties":[],
"Message":"Unable to upload the certificate because the certificate file provided is invalid.",
"MessageArgs":[],"Severity":"Critical","Resolution":"Make sure the CA certificate and private key are correct and retry the operation."}]}}
  • Certificate file contains wrong encoding
    • Ensure that the certificate file was saved using Base 64 encoding.
    • The following error is seen in the tomcat application log located in the console log bundle:
./tomcat/application.log

[ERROR] 2024-01-29 08:03:05.200 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC9002","RelatedProperties":[],
"Message":"Unable to upload the certificate because the certificate file provided is invalid.",
"MessageArgs":[],"Severity":"Critical","Resolution":"Make sure the CA certificate and private key are correct and retry the operation."}]}}

Migration Connection Verification Operation

After successfully uploading the certificate chain, the migration process can proceed with the next step - establishing connection between the source and target consoles. In this step, the OpenManage Enterprise administrator provides the IP address and local administrator credentials for the source and target consoles.
 
The following items are checked when validating the connection:
  • Issued to and issued by - Names of the certificate authorities in the chain between each the source and target certificates have the same 'issued to' and 'issued by.' If these names do not match, the source or the target cannot verify that the same signing authorities issued the certificates. This is crucial to adhering to the Zero-Trust security framework.
Valid certificate chain between source and target
Source Certificate     Target Certificate  
Issued To Issued By   Issued To Issued By
OMENT-310 (source) Inter-CA1 <-> OMENT-400 (target) Inter-CA1
Inter-CA1 Root-CA <-> Inter-CA1 Root-CA
Root-CA Root-CA <-> Root-CA Root-CA
 
 
Invalid certificate chain between source and target
Source Certificate     Target Certificate  
Issued To Issued By   Issued To Issued By
OMENT-310 (source) Inter-CA1 X OMENT-400 (target) Inter-CA2
Inter-CA1 Root-CA X Inter-CA2 Root-CA
Root-CA Root-CA <-> Root-CA Root-CA
 
  • Validity period - checks the certificate validity period with the date and time of the appliance.
  • Maximum depth - verify that the certificate chain does not exceed the maximum depth of 10 leaf certificates.
If the certificates do not meet the above requirements, the following error is seen when trying to validate the console connections:
Unable to mutually authenticate and connect to the remote appliance.
Please check the source and target appliances has valid certificate chain uploaded which are signed by the same CA.
Migration connection validation error - Unable to mutually authenticate and connect to remote appliance. 

Bypass Certificate Chain Requirement

If there are continued issues uploading the required certificate chain, there is a supported method that can be used to leverage the self-signed certificate.

Proceed with leveraging the backup and restore feature as outlined in the following article:
https://www.dell.com/support/kbdoc/000223239/openmanage-enterprise-administrators-may-run-across-several-errors-during-the-certificate-chain-upload-cgen1008-and-csec9002-report-challenges-in-procuring-a-certificate-chain-required-by-openmanage-enterprise-ome-4-0-x-for-the-migration-featur

受影响的产品

Dell EMC OpenManage Enterprise
文章属性
文章编号: 000221202
文章类型: How To
上次修改时间: 11 6月 2024
版本:  4
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。