topic iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external in Server Management - Remote Server Management

iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

uzimmermann — Wed, 23 Sep 2020 03:32:16 GMT

I really dislike how I can add the short name of the iLO to the certificate signing request as subject alternate name, just like the IP.

Or allow us to generate the certifcate external with key and just upload the pair.

If the iLO is named con-serverXXX.domain.info, the certficate ideally should really include the FQDN plus via SAN con-serverXXX, IPv4 IP and IPv6 IP.

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

SanjeevGoyal — Fri, 25 Sep 2020 04:10:05 GMT

Hello,

I would suggest the best option may be to allow users to upload a PFX/PKCS12 file that includes the private key and certificate (and the ca chain?). That way, you can use wildcards, CERTS with multiple SAN names (perhaps listing all their ILO hostnames), and short names if they so choose.

PFX/P12 files have passwords, so you would want to accept the file plus the password and run open SSL to split apart the key and CERT and store them in the appropriate location on the iLO. Or allow us to upload an unencrypted RSA private key and the certificate in a webform with two fields.

What you could do is to create your own private CA in your organization and use this CA to issue the iLO certificates. This gives you more flexibility and control over what settings you want enabled/disabled. The only caveat of using a private CA is that you need to install the Certificate of this CA into your browsers and applications so, they can trust the certs issued by it.

Please follow the below link and make sure the server should be updated with the latest bios and ILO firmware.

HPE iLO 5 1.30 User Guide ( Page no 329)

http://itdoc.hitachi.co.jp/manuals/ha8000v/hard/Gen10/iLO/880740-004_en.pdf

HPE iLO 4 User Guide ( Page no:74)

http://www.ni.com/pdf/manuals/377263a.pdf

HPE iLO 5 Scripting and Command Line Guide ( Page No 124)

https://server-recycling.nl/images/faq/handleidingen/HP-iLO-5-Scripting-and-Command-Line-Guide-a00018323en_us.pdf

If you feel this was helpful please click the KUDOS! thumb below!

Regards,

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

uzimmermann — Tue, 29 Sep 2020 18:57:58 GMT

Yes, we have our own private CA. Using a wild card or not certificate doesn't matter so much to me, but I wished iLO would support import of key and certificate or at least allow generation of CSR with SAN of short name in addition of IPv4 and IPv6 address.

OneView for example automatically fills the SAN with short name, FQDN and IPv4/v6 address.

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

uzimmermann — Wed, 30 Sep 2020 00:54:01 GMT

Ok here is what I ended finally up remembering from a previous job and recreated what I had there.

Use powershell to request CSR from iLO
Save CSR to disk
Grab common name from CSR and SAN
Create environment variable called ALTNAME, which lists all the SAN, i.e. "DNS:<FQDN>, DNS:<short>, IP:<IPv4 address>, IP:<IPv6 address"
Call the usual openssl ca operation but add "-extfile openssl-san.cnf"
Convert file to PEM and load into iLO

The openssl-san.cnf file just contains:

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = $ENV::ALTNAME

This will override the SAN as provided by iLO in the CSR and generates a certificate which also has the short name in it.

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

SanjeevGoyal — Wed, 30 Sep 2020 00:57:55 GMT

Hello,

Thank you for your update.

Please let us know if you have any other queries.

If you feel this was helpful please click the KUDOS! thumb below!

Regards,

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

Adis_S — Thu, 21 Jan 2021 06:32:46 GMT

I am facing same issue, not having option to add additional SAN and E-Mail to the CSR request within iLO5. That is the reason company at which I work raised an Feature Request with HPE with the hope that they give us such option. Other HPE Products like OneView , OneView for Composer2, C7000 ENCs etc., all have more Field options when requesting CSR then the iLO4/5.

When using Microsoft CA in the Company (and nothing else allowed) the trick with openssl will not work, or with any other private CA. There is an workaround with certreq.exe when requesting Certificate, but requires the Microsoft CA option EDITF_ATTRIBUTESUBJECTALTNAME2 which is not recommended from Microsoft anymore, and on our side disabled.

So for us when hope that the Feature Request will be fulfilled.