How to Use the HMC

Types of Certificates

There are two types of certificates – self-signed certificate and a certificate signed by a certificate authority (CA).

A self-signed certificate is a certificate that is signed by the HMC that created the certificate.

The first time you boot up the HMC, a self-signed certificate is automatically created. In this certificate, the common name (CN) is equal to the hostname and domain name at that time (and any IP addresses) and the default expiration value is 10 years.

You can modify the values of a self-signed certificate using the Launch Guided Setup Wizard task (mainly used when setting up your new system and the HMC), using the Changing Network Settings task, and using the Managing Certificates task. You can also create a new self-signed certificate using the Managing Certificates task.

A certificate signed by a Certificate Authority (CA) means that the certificate is signed by a trusted third-party certificate provider. The provider verifies and validates the required enrollment information you provided about the certificate. The provider can be an organization internal to your company that is authorized to sign certificates, or the provider can be a well-known security company providing certificate authority services (such as Verisign and Entrust).

Browser Considerations

Each browser contains a list of the CAs to be trusted. When a browser points to a secure server, the browser verifies that the server certificate was issued by a trusted CA. If the CA is not trusted or is not in the list, a warning window displays.

For most browsers, well-known security providers such as Verisign and Entrust are on this list of trusted CAs. If an internal provider is the trusted CA, this provider must be added to the list of trusted CAs on each Web browser accessing the secure server. Otherwise, a warning window displays.

Warning Windows

When you try to access the HMC (a secure server/Web site) remotely, a warning window displaying the message "Unable to verify that the site is a trusted site" may appear. It is important that you take the time to examine the certificate and ask your site administrator to make sure that you are accessing a secure Web site.

The following is a list of situations when this warning window may appear:

• If the Web site is encrypted with a certificate signed by an internal CA provider and this CA provider is not on the browser's list of trusted CAs.
• If the Web site is encrypted with a self-signed certificate and:
  • The Web site is accessed for the first time. Once you view the certificate and make sure it is a secure site, you can make the choice to either "Accept this certificate permanently" or "Accept this certificate temporarily for this session" and click OK each time you access this Web site.
  • You used the Guided Setup Wizard task or the Network Setting task to make changes to the hostname and domain name and did not select OK for the certificate to be updated. In this case, there will be a mismatch between the host name and domain name on the certificate and the host name and domain name of the Web site.
• If someone is trying to intercept your communication with the Web site. Immediately contact your site administrator.