topic REST API upload CA chain in HPE OneView

REST API upload CA chain

bradawk1 — Fri, 23 Jan 2026 07:43:51 GMT

I recently updated the server certificate for one of our OneView instances. When I tried to upload the signed certificate via the REST API it was rejected because the intermdiate certificate it was signed by was not in OneView. So, I tried to upload that intermediate certificate, but it was rejected because the root certificate it was signed by was not in OneView. We have an internal CA with several intermediate and root certificates. So, I downloaded all of those. I read that I can upload the entire chain to /rest/certificates/ca. So, I wrote build-cert-chain.sh to build the cert chain.

#!/bin/bash for VAR in OneView currentVersion sessionID DATA; do if [[ -z ${!VAR+x} ]]; then echo "${VAR} is not set! You need to source the get-session-credentials.sh script.";return 1 2>/dev/null || exit 1;fi done declare -i NUM=2 OPTIND=1 OPTARG= OPTERR=1 while getopts 'c:a:n:' flag; do case "${flag}" in a) ALIAS=${OPTARG};; c) SCRT=${OPTARG};; n) NUM=${OPTARG};if ! [[ "${NUM}" =~ ^[0-9]+$ ]]; then echo "The value for -n must be a number." >&2;return 2 || exit 2;fi;; esac done if [[ "${NUM}" == "" ]]; then echo "NUM was not set. Setting it to 1";NUM=1;fi SCRTN=$(awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' "$SCRT") if [[ ${NUM} -eq 1 ]]; then DATA=$(jq -n --arg cert "${SCRTN}" --arg alias "${ALIAS}" '{members:[{certificateDetails:{base64Data:$cert,aliasName:$alias}}]}') else DATA=$(jq --arg cert "${SCRTN}" --arg alias "${ALIAS}" '.members += [{certificateDetails:{base64Data:$cert,aliasName:$alias}}]' <<<"${DATA}") fi export DATA

I then ran echo ${DATA} > chain.cer. I wrote upload-ca-cert.sh to upload it:

#!/bin/bash for VAR in OneView currentVersion sessionID DATA; do if [[ -z ${!VAR+x} ]]; then echo "${VAR} is not set! You need to source the get-session-credentials.sh script.";return 1 2>/dev/null || exit 1;fi done OPTIND=1 OPTARG= OPTERR=1 while getopts 'c::' flag; do case "${flag}" in c) SCRT=${OPTARG};; esac done CERTURI=$(curl --insecure --include --silent \ --header "content-type: application/json" \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --data @SCRT \ --request POST ${OneView}/rest/certificates/ca | grep '^Location:' | awk '{ print $2 }') echo "Waiting 30 seconds for the process to complete" sleep 29 echo "Checking the status of the upload process:" curl --insecure --silent \ --header "X-API-Version: ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}${CERTURI} | jq -r '.' export CERTURI

When I try to upload it, I get INVALID JSON MAPPING, JSON cannot be parsed. Oh! I think I might have one too many backslashes before n for the linefeeds. I have: \\n. I think it is supposed to be \n. Let me try to rectify that and see how it goes.

Re: REST API upload CA chain

bradawk1 — Thu, 18 Dec 2025 13:11:51 GMT

Unfortunately removing that extra backslash did not do it. Any ideas? My JSON looks just like the example:

{ "members": [ { "certificateDetails": { "base64Data": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "aliasName": "ca Alias Name1" } }, { "certificateDetails":{ "base64Data":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "aliasName":"ca Alias Name2" } } ] }

The alias names have spaces in them. Does that matter?
Just FYI, I also tried just uploading a single intermediate certificate and got the same response.

Re: REST API upload CA chain

bradawk1 — Mon, 29 Dec 2025 12:36:19 GMT

No one has uploaded a CA chain using the REST API? Either I am missing someting, or the documentation is incorrect. I have a single CA certificate formatted as depicted in the REST API reference and saved to chain.cer. I then ran:

jq -r '.members[].certificateDetails.base64Data' chain.cer | openssl x509 -text -nout

and received the properly decoded certificate details. So, I think my format should be good.

Re: REST API upload CA chain

Rakesh0404 — Tue, 20 Jan 2026 05:28:21 GMT

Hi Bradawk1,
Thank you for choosing HPE.
From the looks of the query, the maximum chain can be uploaded in 10.

The user guide does share the informatoin perfect steps to add:
https://support.hpe.com/docs/display/public/dp00006389en_us/index.html#rest/certificates/ca?ref=POST%20%2Frest%2Fcertificates%2Fca&query=POST%20%2Frest%2Fcertificates%2Fca

It is best to validate the certificate before adding to store with the below command.
POST/rest/certificates/ca/validator