Tag Archives: HOW TO

HOW TO: Regenerate expired UCS Manager certificate

Received the following error in our UCS Manager tonight:

Affected object: sys/pki-ext/keyring-default
Description: default Keyring's certificate is invalid, reason: expired
Cause: invalid-keyring-certificate
Code: F0910

Turns out the default self signed certificate expires after 1 year

To resolve the issue:

  1. Verify that both FIs have the correct time.  I use NTP servers for both. UCSM – Admin – All – Timezone Management;
  2. SSH to UCS Manager cluster IP address and login as an administrator user;
  3. Issue the following commands:
    1
    2
    3
    4
    VFC01-A# scope security
    VFC01-A /security # scope keyring default
    VFC01-A /security/keyring # set regenerate yes
    VFC01-A /security/keyring* # commit-buffer
  4. N.B. After you issue ‘commit-buffer‘ command, all GUI sessions will be disconnected;
  5. After a couple of minutes, validate new certificate: (Patience is a virtue here.  Mine took about 10 minutes to show valid)
    1
    2
    3
    4
    5
    6
    VFC01-A /security/keyring # scope security
    VFC01-A /security # show keyring detail
    Keyring default:
    RSA key modulus: Mod1024
    Trustpoint CA:
    Cert Status: Valid
  6. Now that you have a shiny new certificate: Open web browser, connect to UCSM cluster IP address and accept the certificate warning since the cert has changed.