Requesting an organization-specific certificate

For new customers, a certificate must be requested at least two (2) business days in advance by sending a request to certificates@tacp.zendesk.com.

The following information must be provided in the e-mail:

Required details

Example

Requester Name

John Doe

Requester E-mail

john.doe@acme.com

Date

2018-12-31

Company Name

ACME Corporation

Organization Name

MSP Stacks

GPG Public key

Public key name (publicKey.asc)

Note:

An organization provides a way to organize and manage your ThinkAgile CP hardware resources. The organization identifier is used to identify the hardware stack in the ThinkAgile CP Cloud Controller. Each organization identifier must be unique. For more information about organizations within the ThinkAgile CP Cloud Controller, see Manage organizations.

The Lenovo team will reply with the certificate and the instructions to install.

To create and use GNU Privacy Guard (GPG) keys, follow these steps:

  1. Execute the following command to create a new GPG key:

    gpg2 --gen-key

    Alternatively, you can execute the following command:

    gpg2 --gen-key

    Note:

    This prompts you for an interactive setup. The following example shows sample output and answers for reference.

    gpg2 --gen-key

    gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
     
    gpg: directory `/root/.gnupg' created
    gpg: new configuration file `/root/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
    gpg: keyring `/root/.gnupg/secring.gpg' created
    gpg: keyring `/root/.gnupg/pubring.gpg' created
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection? 1
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    Requested keysize is 4096 bits
    Please specify how long the key should be valid.
    
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 2y
    Key expires at Sat Aug  8 14:33:52 2020 UTC
    Is this correct? (y/N) y
     
    GnuPG needs to construct a user ID to identify your key.
     
    Real name: John Doe ( ACME )
    Email address: jdoe@acme.com
    Comment: ACME GPG
    You selected this USER-ID:
        "John Doe ( ACME ) (ACME GPG)<jdoe@ACME.com>"
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
    You need a Passphrase to protect your secret key.
     
  2. Locate your public key IDs:

    gpg2 --list-public-keys <requester e-mail>, where the <requester e-mail> is the e-mail address used to request the certificate from certificates@tacp.zendesk.com.

    The following is an example showing the command output:

    gpg2 --list-public-keys john.doe@acme.com

    pub   4096R/ECA7E403 2018-08-08 [expires: 2020-08-07]
    uid                  John Doe ( ACME Inc ) <john.doe@acme.com>
    sub ....
    Note:

    In the above output, the key is ECA7E403.

  3. Export the key and send your keys to the key server:

    gpg2 --send-keys --keyserver pool.sks-keyservers.net <GPG key ID>

    For example:

    gpg2 --send-keys --keyserver pool.sks-keyservers.net ECA7E403

    gpg: sending key C264BE84ECA7E403 to hkp://pool.sks-keyservers.net
  4. Extract the GPG key:

    gpg --output publicKey.asc -- armor -- export <requester e-mail>, where the <requester e-mail> is the e-mail address used to request the certificate from certificates@tacp.zendesk.com.

    Note:

    Use publicKey.asc as the name of the public key.

  5. Request the new certificate from certificates@tacp.zendesk.com as described at the beginning of this section.
  6. Please wait for the public key to be signed by Lenovo.
    Note:

    It can take up to two (2) business days to sign the GPG key.

  7. Decrypt the signed keys obtained from Lenovo. The result of the decryption process is a .TAR file.
    Note:

    This must be done in the same directory where you extracted the key.

    gpg2 --output <New-TAR-File-Name> -- decrypt <Signed-File-Obtained-From-Lenovo>

    For example:

    gpg2 --output lenovo-thinkagile-test.controller-broker-client.pki.cp.lenovo.com-client_db.tar.gz --decrypt lenovo-thinkagile-test.controller-broker-client.pki.cp.lenovo.com-client_db.tar.asc