topic Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest in Server Management - Remote Server Management

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S — Thu, 22 Nov 2018 13:46:34 GMT

1) Would it be posible to add SAN parameter to the Start-HPEiLOCertificateSigningRequest ? In most Microsoft CA is the "EDITF_ATTRIBUTESUBJECTALTNAME2" disabled because od (1) , thus it would be better to include this in Certificate request itself. From (1) "All certificate subject information (including SAN) should be included in the original certificate request"

2) Can there be also an parameter to exclude IPv6 from orginal certificate request.

I am using HPEiLOCmdlets 2.1..0.0 and have iLO4 v2.61 and I am doing request with this line

Start-HPEiLOCertificateSigningRequest -Connection $connection -City City -CommonName $srvILO -IncludeiLOIP -Country Country -Organization "Organization" -State "State" -OrganizationalUnit IT

On (2) there is written "Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2."
How could this be done by uisng HPEiLOCmdlets ?

Reason for this request is because IE 11 (Edge maybe to?) does not trust iLO if accessed over IP even it is included in Certificate. Seems dns=ipaddress need to be added as SAN so that IE 11 can trust it.

DNS Name=esx01-ilo.server.local
IP Address=1XX.XX.XX.XXX
IP Address=fe80:0000:0000:0000:XXXX:XXXX:XXXX:XXXX

Edit #1: Also it is an problem that you can acutally not import private key and then the certificate, so there is no way to create request somewhere else which includes all SAN needed.

(1) https://blog.keyfactor.com/hidden-dangers-certificate-subject-alternative-names-sans

* Any custom SAN entries are only supposed to be used on the other Corporate Web Server certificates, but because the EDITF_ATTRIBUTESUBJECTALTNAME2 setting applies to the entire CA, all templates on that CA are affected, and all templates and all resulting certificates are at risk from impersonation attacks.

(2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v%3dws.10)

* Security best practices for allowing SANs in certificates

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

NareshISS — Mon, 26 Nov 2018 16:29:10 GMT

Hello Team,

please follow the below steps if its applicable:- https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/Can-t-configure-Gen8-Gen9-IPV6-Ilo-settings/td-p/6752309#.W_avbOLhWM8 https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/how-to-check-ipv6-gw-info-from-ilo4/td-p/6819325#.W_avb-LhWM8

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S — Tue, 27 Nov 2018 13:06:21 GMT

@NareshISS

I am not sure why did you post the Links which does not have anything to do with Certificate Signing Request. Just to post something to have Post count higher, is not very helpful.

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

GokulKS — Wed, 28 Nov 2018 05:29:45 GMT

Hi,

Currently iLO4/5 does not provide any option to add SAN or ignore IPv6 in either iLO Web GUI or Redfish interfaces.

You need to raise a change request with iLO team.

Thanks,

Gokul

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

NareshISS — Wed, 05 Dec 2018 16:40:08 GMT

Hello,

please logged an HPE case and share the actual images of the issue and AHS report.

Regards,

Naresh Sharma

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S — Fri, 07 Dec 2018 09:47:13 GMT

HPE see this not as an Issue but as an Enhancement Request.

Sure I did provide HPE Support with all logs and Images of the Issue.

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S — Thu, 21 Jan 2021 06:53:17 GMT

I got asked over PM if there was any solution for this. I am afraid not, our Feature Request is still not fullfilled, but it is still open. There could be an workarround for these using Microsoft CA and where the EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.

Create CSR with iLO5 with all the Fields it currently allows us (i am using csv with Column "iLOHostname" and "iLOIP" :

$connection = Connect-HPEiLO -Credential $credential -IP $ilofqdn.iLOHostname -Timeout 200 -DisableCertificateAuthentication Start-HPEiLOCertificateSigningRequest -Connection $connection -City <City> -CommonName $ilofqdn.iLOHostname -Country <country> -Organization <organisation> -State <state> -OrganizationalUnit IT -IncludeiLOIP

get your CSR (i put pause for 60 sec in my script, to let CSR be created):

$output = Get-HPEiLOCertificateSigningRequest -Connection $connection $output.CertificateSigningRequest | Out-File "$scriptpath\csr\$ilofqdn.iLOHostname.csr" -Encoding ascii -Force

then submit the CSR with additional parameters to Microsoft CA by using this command line tool:
# you need to define all variable yourself or just type them in request.

$certreq = 'c:\Windows\System32\certreq.exe -submit -config $certificateserver -attrib "SAN:dns=$srvILO&dns=$shorthost&dns=$dnssrvilo&IPAddress=$dnssrvilo" -attrib "CertificateTemplate:$certificatetemplate" "$scriptpath\csr\$ilofqdn.iLOHostname.csr"'

You will get as output an ID which you can provide to your CA Admin to issue it, after that you can grab your certificate

$certretrieve = 'certreq.exe -retrieve -config $certificateserver $_.RequestId "$scriptpath\cert\$shorthost.crt"'

Finaly import it to iLO5

$cert1 = Get-Content -Path "$scriptpath\cert\$shorthost.crt" -Raw # Base64-encoded X.509 certificate $StatusInfo = Import-HPEiLOCertificate -Connection $connection -Certificate $cert1

Hopes this help someone in future.