The Certificate Authority (CA) is one of the Root Security Integrity Services that runs on the Chassis Management Module (CMM), and it provides the certificate management functions for the chassis.

The CMM comes with its own self-signed CA root certificate, which is regenerated automatically if the CMM is reset to its default values or moved to a different chassis. The default values for the CMM CA root certificate are as follows:

Common Name:   CA for chassis_uuid, certificate_creation_timestamp
Organization Name:  Generated by Lenovo Firmware
Country:  US
State or Province:  TX
City or Locality:  Austin

The CA root certificate provides a signed Transport Layer Security (TLS) Secure Sockets Layer (SSL) certificate for the CMM to use as its Lightweight Directory Access Protocol (LDAP) server certificate and for other secure communication such as Common Information Model (CIM). If you do not import an externally signed SSL LDAP client certificate, the CMM will use the LDAP server certificate as its LDAP client certificate. The CA root certificate also will provide signed SSL certificates for the integrated management modules (IMM) and flexible service processors (FSP) in the nodes for their communication with the LDAP servers and other secure communication such as Hypertext Transfer Protocol Secure (HTTPS) and CIM.

The web browsers, LDAP servers, and other environments in which you plan to connect the CMM or other chassis elements must trust the certificates that are presented by the systems-management elements in the chassis; otherwise, Untrusted Certificate pop-up messages are displayed and the users must decide to accept or block access to these sites. To help prevent this potential security exposure and to reduce the number of Untrusted Certificate pop-up messages, use the CMM web interface or the CMM command-line interface sslcfg -dnld ca -u URL command to export the CA certificate; then, import that certificate into the environments that you plan to use, and instruct all users to not accept any Untrusted Certificate pop-up messages. (See External authentication of certificates for more information.)

Some additional functions that the CA service provides are as follows:
  • Signs the certificates for the CMM and nodes
  • Digitally signs some of the data that is provisioned to the nodes such as the security policy
  • Continues to run during a failover operation