Server Management - Remote Server Management
1748195 Members
4965 Online
108759 Solutions
New Discussion

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

 
SOLVED
Go to solution
david8881
Occasional Advisor

Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

My signing authority is no accept the SSL for only the iLo 4.

The old iLo 2 worked fine.

For whatever reason the iLo 4 certs have Subject Alternative Names as "shortname, fqdn.domain.com"

The iLo 2 just had the full quailfied domain names.
Is there any place where I can remove the short name in the ssl cert CSR?

I couldn't seem to find anywhere in the iLo 4 configs,

 

11 REPLIES 11
briank2012
Visitor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

iLo3 has the same problem.  Which means we cannot use a certificate from an external CA (such as letsencrpyt).

briank2012
Visitor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

I realize some people want the shortname in the SAN so they can just type it into their browser (they must have local host file entries?).  I think the best option may be to allow use to upload a PFX/PKCS12 file that includes the private key and certificate (and the ca chain?).  That way, people can use wildcards, certs with multiple SAN names (perhaps listing all their ILO hostnames), and shortnames if they so choose.

PFX/P12 files have passwords, so you would want to accept the file plus the password and run openssl to split apart the key and cert and store them in the appropriate location on the iLO.  Or allow us to upload an unencrypted RSA private key and the certificate in a webform with two fields.

Whatever you do, can you please also fix iLo3 as well?  Please!

-Brian

Oscar A. Perez
Honored Contributor
Solution

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

What version of iLO4 do you have?  Versions 2.10 and later do not add the short name in the SAN.  Only FQDN is added which should be okay with all CAs.

As for the iLO3, we are working on a new version that will remove the short name from the SAN as well.  

All these said, I would not use Public CAs to sign iLO certificates.  It doesn't make sense unless or course, you are planning to expose your iLOs directly to the Internet, which is NOT recommended at all.

What you could do is to create your own private CA in your organization and use this CA to issue the iLO certificates.  This gives you more flexibility and control over what settings you want enabled/disabled.  The only caveat of using a private CA is that you need to install the Certificate of this CA into your browsers and applications so, they can trust the certs issued by it.

About importing PCKS#12 Certificates with both Private/Public keys into iLO.  We don't currently support it due to security reasons.  First, the Private/Public key-pairs need to be stored somewhere and they could be compromised.  As opposed to iLO generating its own key material and keeping its Private Key secret and secure.   Second, we would have no control over the quality of the Pseudo Random Number Generator used by the tool generating the key material, how it is seeded and how much entropy it would contain.  And third, it allows users to do stupid things like importing the same Private/Public RSA key-pair into hundreds of iLOs which could make it easier for adversaries to factorize one RSA key by attacking all of them.

 

I understand that setting a CA and getting trusted certificates imported into each iLO is a royal pain but, security isn't something that comes inside a retail box that you can buy from a store.  It requires work.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
david8881
Occasional Advisor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Yes, for the iLo4s the latest firmware fixed the issue.

For the iLo3 the new firmware will not be out till "summer" HP support tells me.

david8881
Occasional Advisor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

I believe for ilo3 we should be able to generate the cert with just openssl and import it with locfg.pl or hpqlocfg.exe.

I am still trying to figure this out.

tstrothe
New Member

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Any updated news on when the new version for ILO3 will be out?

Oscar A. Perez
Honored Contributor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Yes, iLO3 1.88 was released last week.  Here are the links and release notes:

Online ROM Flash Component for Windows x86
ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1539977532/v116232
https://www.hpe.com/global/swpublishing/MTX-3ef65d13406a41de97e6a75a3c


Online ROM Flash Component for Windows x64
ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1015659653/v116234
https://www.hpe.com/global/swpublishing/MTX-bb45e0682dd04f098ad89e189c


Online ROM Flash Component for Linux
ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1573561412/v116231
https://www.hpe.com/global/swpublishing/MTX-4882dccaaa0d4fbcbd353033e6


Online ROM Flash Component for VMware ESXi
ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p986822869/v116230
https://www.hpe.com/global/swpublishing/MTX-04b05621285145119cbaa69982

 

Enhancements:
iLO 3 v1.88 includes the following enhancements:
- Added support for AES-CTR ciphers and HMAC-SHA2-256 to the SSH server.
- Disabled the CBC ciphers in the SSH server when iLO 3 is in FIPS mode or when the Enforce AES/3DES Encryption option is enabled.
- Certificate Signing Requests now use the SHA256 algorithm for the signature.
- The Java IRC now includes two alternatives: A Java Web Start console and a Java applet-based console. The Java Web Start option works in newer browsers that do not allow the applet version to run. On systems with OpenJDK, you must use the Java applet-based console with a browser (such as Firefox) that supports a Java plug-in.


Fixes:
The following issues are resolved in this version:
- Addressed Security Bulletins HPSBHF03440 and HPSBHF03441.
- Removed the iLO 3 short-name from the SAN field in the Certificate Signing Request.
- Changed the IPMI master write read completion code to avoid retries by the open IPMI driver.
- Changed the IPMI close session request to utilize the session handle, if present.
- Fixed the IPMI channel privilege level setting.
- Fixed an issue that allowed authenticated iLO web interface users to use browser debug tools to set their own password below the configured minimum password length.
- Fixed an issue that prevents users from using the CLI to set a password that contains the "\" character.
- Disabled TLSv1.0 when the FIPS mode or Enforce AES/3DES Encryption options are enabled.
- Added X-Frame-Options to the HTTP header as a countermeasure for Clickjacking.
- Fixed an issue in which the IPMI Set SOL Configuration parameters return an error completion code when the configuration change was successful
- Fixed IPMI OEM commands for setting and getting the serial number and product ID.
- Fixed an intermittent loss of OA communications after an iLO firmware update on a blade server.

 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
spellbreaker
Occasional Visitor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

I'm using iLO4. How do I get rid of the IP fields in the SAN section (and why is this there at all)? The IP SANs prohibt us from using an official certificate.

spellbreaker
Occasional Visitor

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

But then you have to install your CA-Cert into every device you whish to use with your iLO-servers.. For an android device this means that you have to live with a system generated warning.... Actually I think it is a good idea to use an official CA even when you only connect from inside of your company. Imho using a private CA is only useful for authentification.