topic Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests? in Server Management - Remote Server Management

Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

david8881 — Thu, 10 Mar 2016 03:43:26 GMT

My signing authority is no accept the SSL for only the iLo 4.

The old iLo 2 worked fine.

For whatever reason the iLo 4 certs have Subject Alternative Names as "shortname, fqdn.domain.com"

The iLo 2 just had the full quailfied domain names.
Is there any place where I can remove the short name in the ssl cert CSR?

I couldn't seem to find anywhere in the iLo 4 configs,

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

briank2012 — Sun, 20 Mar 2016 23:19:02 GMT

iLo3 has the same problem. Which means we cannot use a certificate from an external CA (such as letsencrpyt).

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

briank2012 — Sun, 20 Mar 2016 23:59:58 GMT

I realize some people want the shortname in the SAN so they can just type it into their browser (they must have local host file entries?). I think the best option may be to allow use to upload a PFX/PKCS12 file that includes the private key and certificate (and the ca chain?). That way, people can use wildcards, certs with multiple SAN names (perhaps listing all their ILO hostnames), and shortnames if they so choose.

PFX/P12 files have passwords, so you would want to accept the file plus the password and run openssl to split apart the key and cert and store them in the appropriate location on the iLO. Or allow us to upload an unencrypted RSA private key and the certificate in a webform with two fields.

Whatever you do, can you please also fix iLo3 as well? Please!

-Brian

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Oscar A. Perez — Mon, 04 Apr 2016 19:50:42 GMT

What version of iLO4 do you have? Versions 2.10 and later do not add the short name in the SAN. Only FQDN is added which should be okay with all CAs.

As for the iLO3, we are working on a new version that will remove the short name from the SAN as well.

All these said, I would not use Public CAs to sign iLO certificates. It doesn't make sense unless or course, you are planning to expose your iLOs directly to the Internet, which is NOT recommended at all.

What you could do is to create your own private CA in your organization and use this CA to issue the iLO certificates. This gives you more flexibility and control over what settings you want enabled/disabled. The only caveat of using a private CA is that you need to install the Certificate of this CA into your browsers and applications so, they can trust the certs issued by it.

About importing PCKS#12 Certificates with both Private/Public keys into iLO. We don't currently support it due to security reasons. First, the Private/Public key-pairs need to be stored somewhere and they could be compromised. As opposed to iLO generating its own key material and keeping its Private Key secret and secure. Second, we would have no control over the quality of the Pseudo Random Number Generator used by the tool generating the key material, how it is seeded and how much entropy it would contain. And third, it allows users to do stupid things like importing the same Private/Public RSA key-pair into hundreds of iLOs which could make it easier for adversaries to factorize one RSA key by attacking all of them.

I understand that setting a CA and getting trusted certificates imported into each iLO is a royal pain but, security isn't something that comes inside a retail box that you can buy from a store. It requires work.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

david8881 — Mon, 04 Apr 2016 19:18:34 GMT

Yes, for the iLo4s the latest firmware fixed the issue.

For the iLo3 the new firmware will not be out till "summer" HP support tells me.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

david8881 — Mon, 04 Apr 2016 19:21:20 GMT

I believe for ilo3 we should be able to generate the cert with just openssl and import it with locfg.pl or hpqlocfg.exe.

I am still trying to figure this out.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

tstrothe — Thu, 11 Aug 2016 21:01:28 GMT

Any updated news on when the new version for ILO3 will be out?

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Oscar A. Perez — Fri, 12 Aug 2016 14:42:55 GMT

Yes, iLO3 1.88 was released last week. Here are the links and release notes:

Online ROM Flash Component for Windows x86
ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1539977532/v116232
https://www.hpe.com/global/swpublishing/MTX-3ef65d13406a41de97e6a75a3c

Online ROM Flash Component for Windows x64
ftp://ftp.hp.com/pub/softlib2/software1/sc-windows-fw-ilo/p1015659653/v116234
https://www.hpe.com/global/swpublishing/MTX-bb45e0682dd04f098ad89e189c

Online ROM Flash Component for Linux
ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p1573561412/v116231
https://www.hpe.com/global/swpublishing/MTX-4882dccaaa0d4fbcbd353033e6

Online ROM Flash Component for VMware ESXi
ftp://ftp.hp.com/pub/softlib2/software1/sc-linux-fw-ilo/p986822869/v116230
https://www.hpe.com/global/swpublishing/MTX-04b05621285145119cbaa69982

Enhancements:
iLO 3 v1.88 includes the following enhancements:
- Added support for AES-CTR ciphers and HMAC-SHA2-256 to the SSH server.
- Disabled the CBC ciphers in the SSH server when iLO 3 is in FIPS mode or when the Enforce AES/3DES Encryption option is enabled.
- Certificate Signing Requests now use the SHA256 algorithm for the signature.
- The Java IRC now includes two alternatives: A Java Web Start console and a Java applet-based console. The Java Web Start option works in newer browsers that do not allow the applet version to run. On systems with OpenJDK, you must use the Java applet-based console with a browser (such as Firefox) that supports a Java plug-in.

Fixes:
The following issues are resolved in this version:
- Addressed Security Bulletins HPSBHF03440 and HPSBHF03441.
- Removed the iLO 3 short-name from the SAN field in the Certificate Signing Request.
- Changed the IPMI master write read completion code to avoid retries by the open IPMI driver.
- Changed the IPMI close session request to utilize the session handle, if present.
- Fixed the IPMI channel privilege level setting.
- Fixed an issue that allowed authenticated iLO web interface users to use browser debug tools to set their own password below the configured minimum password length.
- Fixed an issue that prevents users from using the CLI to set a password that contains the "\" character.
- Disabled TLSv1.0 when the FIPS mode or Enforce AES/3DES Encryption options are enabled.
- Added X-Frame-Options to the HTTP header as a countermeasure for Clickjacking.
- Fixed an issue in which the IPMI Set SOL Configuration parameters return an error completion code when the configuration change was successful
- Fixed IPMI OEM commands for setting and getting the serial number and product ID.
- Fixed an intermittent loss of OA communications after an iLO firmware update on a blade server.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

spellbreaker — Sun, 26 Mar 2017 09:40:42 GMT

I'm using iLO4. How do I get rid of the IP fields in the SAN section (and why is this there at all)? The IP SANs prohibt us from using an official certificate.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

spellbreaker — Mon, 27 Mar 2017 12:44:54 GMT

But then you have to install your CA-Cert into every device you whish to use with your iLO-servers.. For an android device this means that you have to live with a system generated warning.... Actually I think it is a good idea to use an official CA even when you only connect from inside of your company. Imho using a private CA is only useful for authentification.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Oscar A. Perez — Wed, 29 Mar 2017 15:26:41 GMT

Within the next few weeks, we'll release a new iLO4 firmware that will let users choose if they want to include the iLO IP address(es) in the SAN.

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

SysAdman — Wed, 22 Feb 2023 18:30:28 GMT

This still doesn't explain how to add the shortname to the SAN list when generating a cert.

I've been playing around with the iLO Powershell cmdlets and as far as I can see the cmdlet only supports the "CN" field using an FQDN.

Is it possible to pass a parameter for the "subjectaltname" field typically used by OpenSSL conf files?

It looks like the field capabilities don not include the ability to specify the subjectaltname, however, iLO must do this when adding the IP option to the SAN list.

We want to add the shortname "server-ilo" to the SAN list, along with the FQDN and the IP.

e.g. here's the edited/redacted output of a:

Get-HPEiLOCertificateSigningRequest -Connection $connection -OutputType RawRequest

The Start-HPEiLOCertificateSigningRequest cmdlet doesn't appear to support anything more than the CN field, no subjectaltname option.

Target: server-ilo.domain.local
URL: https://server-ilo.domain.local/rest/v1/Managers/1/SecurityService/HttpsCert
ContentType: application/json
Response: {"@odata.context":"/redfish/v1/$metadata#Managers/Members/1/SecurityService/HttpsCert$entity","@odata.id":"/redfish/v1/Managers/1/SecurityService/HttpsCert/","@odata.type":"#HpHttpsCert.1.0.0.HpHttpsCert","Actions":{"#HpHttpsCert.GenerateCSR":{"target":"/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpHttpsCert.GenerateCSR/"},"#HpHttpsCert.ImportCertificate":{"target":"/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpHttpsCert.ImportCertificate/"}},"AvailableActions":[{"Action":"GenerateCSR","Capabilities":[{"PropertyName":"City"},{"PropertyName":"CommonName"},{"PropertyName":"Country"},{"PropertyName":"IncludeIP"},{"PropertyName":"OrgName"},{"PropertyName":"OrgUnit"},{"PropertyName":"State"}]},{"Action":"ImportCertificate","Capabilities":[{"PropertyName":"Certificate"}]}],"CertificateSigningRequest":null,"Id":"HttpsCert","Type":"HpHttpsCert.1.0.0","X509CertificateInformation":{"Issuer":"C = GB, O = XXXXX, OU = XXXXXX, CN = XXXXXX","SerialNumber":"XXXXX","Subject":"C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = server-ilo.domain.local","ValidNotAfter":"2026-01-23T10:05:05Z","ValidNotBefore":"2023-01-24T10:05:05Z"},"links":{"self":{"href":"/rest/v1/Managers/1/SecurityService/HttpsCert"}}}