topic Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own in Server Management - Remote Server Management

iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own CA?

ay_jay — Tue, 04 Feb 2020 17:05:28 GMT

I see the option to generate a CSR, and another to import a certificate, but we have our own trusted CA who generate certificates and we typically create certificate bundles with the root and intermediate. We need to add certificates to our iLO 5 hosts and the certs with their respective keys have already been generated. How do I upload them to iLO? Is there a step by step guide for this, and will this be disreuptive to the server/ESXi traffic?

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Torsten. — Tue, 04 Feb 2020 18:30:04 GMT

ILO user guide has all the steps.

Importing a trusted certificate
Prerequisites
Configure iLO Settings privilege
Procedure
1. Click Security in the navigation tree, and then click the SSL Certificate tab.
2. Click Customize Certificate.
3. Click Import Certificate.
4. In the Import Certificate window, paste the certificate into the text box, and then click Import.
iLO prompts you to confirm the request and reset iLO.
5. Click Yes, apply and reset.
iLO imports the certificate, and then resets

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

auscop — Mon, 28 Sep 2020 01:45:46 GMT

This does not answer the OP question. He is asking can an already generated key be uploaded. So the private key would need to be replaced as well so it matches the public key. I have the same issue, I have over 1000 iLO4 and iLO5 interfaces. I have a wildcard certificate generated from our CA. I need to be able to upload it plus the matchng private key in to iLO. It is not practical to have to manually generate over 1000 CSRs, and have them submitted to our CA to create over 1000 different public keys. Can this be done?

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Grimy — Thu, 29 Oct 2020 23:39:14 GMT

Hi mate, any luck with this?

I attempted to paste in a combined -----BEGIN PRIVATE KEY----------BEGIN CERTIFICATE----- via the gui but no deal. About to try the commandline route....I've got aboutttt 550 servers to sort

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

auscop — Fri, 30 Oct 2020 00:47:19 GMT

Sorry Mate, no luck. Have have not tried much after I posted. By what I can tell it is not possible without some type of hackery. I don't see anyway to access the private key in the normal manner. Using ssh straight to the iLO I looked everywhere for a private key and couldn't find it. Even if it was viewable then I would not know how to write over it. I have tried messing with hponcfg and hpilo_cli tools and neither will accept private key as a variable. My guess the lack of response from HP to my post means they don't want to admit it is not possible at the moment. Why developers would think we would be happy to create 100's or 1000's of separate private/public key pairs makes zero sense. And given all my servers have zero internet access doesn't help.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

SanjeevGoyal — Wed, 12 Jul 2023 15:03:25 GMT

Hello,

You can refer user guide as well : https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00105236en_us

Symptom

User authentication fails when iLO is configured to use Active Directory.

Cause

There is a certificate problem:

An SSL certificate is not installed on the Active Directory server.
An old SSL certificate on the Active Directory server points to a previously trusted CA with the same

name as the CA in the current certificate. This situation might happen if a certificate service is added

and removed, and then added again.

You can verify this cause by checking the SSL Connection test results on the Directory Tests page.

Action

Open the MMC.
Add the certificates snap-in.
When prompted, select Computer Account for the type of certificates you want to view.
To return to the Certificates snap-in, click OK.
Select the Personal > Certificates folder.
Right-click the folder and select Request New Certificate.
Verify that the Type is domain controller, and click Next until a certificate is issued.

Connect using SSL test reports a failure

Symptom

The Connect using SSL test reports the status Failed.

Cause

The SSL handshake and negotiation between iLO and the directory server were unsuccessful.

Action

Enable the directory server for SSL negotiations.
If you are using Microsoft Active Directory, verify that Active Directory Certificate Services is installed.

Please feel free to contact me if you have any further questions or concerns.

If you feel this was helpful please click the KUDOS! thumb below!

Regards,

[Moderator edit: Updated the broken link.]

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

scottwichall — Tue, 17 Nov 2020 15:38:16 GMT

This post is completely irrelevant.

We wish to know how to upload our own certificates and private keys to iLo so we dont have to generate potentially thousands of certificate requests (for those with big estates)

Funny how your biggest competitor can manage this with a 3 simple RACADM commands isn't it.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Grimy — Tue, 17 Nov 2020 23:40:50 GMT

True that

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Tono11 — Wed, 14 Apr 2021 15:58:15 GMT

As appointed, completly unuseful answer.

I have the same problem. I cannot generate the certificate from a crt made in the ILO server. I need change the certificate AND de private key. My company doesn't give me a certificate if I don't generate the private key myself.

Please let us know how to change the private key AND the certificate.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Adis_S — Fri, 16 Apr 2021 08:51:06 GMT

As far I know, it is not possible to upload Private Key to iLO5 (or older). We have an two feature requests ongoing, one for this issue, and one for CSR request over iLO or PowerShell iLO cmdlets to add EMail Attribute. If more ppl requests this over their HPE Contacts, maybe this would be implemented in future.

Also some information which we find as wrong in Documentation and are now fixed:
* iLO4 have the limit of 3k for Certificates 3k Limit <- not posible to extend because of Hardware limitation
* iLO5 have 16k limit for Certificate <- so here could be posible to store private key and certificate to.

As workaround to your problem, you could use PowerShell and iLO cmdlets to do bulk CRS requests and then also to automate sending to internal CA for signing with certreq.exe and also for retrieve.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

EliteX2Owner — Fri, 16 Apr 2021 13:18:55 GMT

Yep just a +1 here. We've recently begun to deploy HPE boxes in scenarios where we need high clock rate chips our normal Cisco UCS doesn't have. We then of course ran smack into this issue when trying to determine how to deploy our public CA-issued wildcard cert that we use for infrastructure. Since we use public CA certs, AND these systems do not have internet connectivity, we're faced with the choice of what will be an absolute nightmare trying to order/issue/install a unique paid (i.e. $$) cert on every single server vs just pushing our wildcard in, or, downgrade the security on our management systems by instructing them to not validate certs. No, we don't use an internal Windows CA, we have no Windows in our environment, nor do we want to deploy a private CA and then worry about getting every other internal system to trust it.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Tono11 — Tue, 20 Apr 2021 09:09:48 GMT

Well, in my case we have 2 options:

1.- Create ourselves the private key and generate the certificate request. The company CA process it and give us the certificate.

2. We make the crs with the following constrains:

Make a local copy of openssl.cnf and append the following lines to it:

[req]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = host1.mycompany.com

Run this command:
openssl req -new -subj "/CN=host1.mycompany.com" -out newcsr.csr -nodes -sha512 -newkey rsa:2048 -config openssl.cnf

The newcsr.csr file will contain the certificate request. We can upload the file or paste its contents in the textbox provided by our CA, including the header (---BEGIN CERTIFICATE REQUEST---) and the corresponding footer (---END CERTIFICATE REQUEST---). and they deliver the certificate.

The problem is that I cannot generate "exactly" like that in the ILO interface. When I try to left emply all the fields except the CN, ILO doens't let me go further because all the Country, State, etc. fields are emply.

If I fullfill all this information, the CA complains with: "The subject in the certificate signing request must only contain a CN" ...

Well.. completly blocked...

Regards.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

gherardini — Thu, 20 May 2021 21:32:07 GMT

We attempted to upload out own custom certs directly into the iLO..... no luck. we had to create the iLO's own cert request, (FQDN & IP Address) (*.csr) upload into the system generating our custom cert, then take that *.cer and copy and paste the -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----.

Our certificate generation did strip away all the company data and insert its own. When the iLO imported the cert it properly displayed all the correct data for our organization entries.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

mmad — Mon, 09 Aug 2021 11:51:55 GMT

In ILO 5 I did select Security -> SSL Certificate -> Customize Certificate -> here I did fill the form according to my company details afterwards -> Generate CSR

The trick did this instructions: https://phdops.kblin.org/hp-ilo-ssl-cert.html

This worked perfectly fine for me.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

Xavier Walker — Thu, 21 Oct 2021 14:30:05 GMT

+100000

We really need to have a way of providing our own private keys and not having to manually create CSRs for every ILO.

It's also an issue when internal CAs don't normally provide certificates via CSR and provide directly a private key + certificate. I'm currently in this position so cannot actually install any certificate that's provided/approved by my internal CA.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

GrahamCranstoun — Wed, 09 Nov 2022 11:56:43 GMT

Did anyone get to the final answer on this to whetehr or not you can import a wilcard cert into the iLO.

Currently I am on iLO5 (Version 2.72)

Apologies if I have missed the answer to this.

Thanks in advance

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

EliteX2Owner — Wed, 09 Nov 2022 12:38:29 GMT

You can't import any key/cert combo, let alone a wildcard. It sucks.

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

Adis_S — Wed, 01 Feb 2023 07:29:03 GMT

it should be posible with new iLO 5 2.78 (December 2022) via Redfish

iLO 5 Redfish API Reference document (hewlettpackard.github.io)