topic Re: OneView CERT in HPE OneView

OneView CERT

Scott Caryer — Thu, 15 Mar 2018 20:58:55 GMT

I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.

I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.

I keep getting the below error message: The certificate is not valid

Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication

Resolution Provide a valid certificate with EKU field set as specified

If the issue persists, Create a support dump and contact your authorized support representative for assistance.

Please advise...

Scott

Re: OneView CERT

ChrisLynch — Thu, 15 Mar 2018 22:15:28 GMT

The message is quite clear what is wrong. The SSL certificate you created must contain the Server Authentication attribute set. Take a look at the screenshot of a certificate deployed on my appliance.

I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA

Re: OneView CERT

Scott Caryer — Fri, 16 Mar 2018 02:11:37 GMT

Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.

So I generated the certificate request through the "Guided Section" area on my OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.

Thanks for any assistance. As you can tell, cert management is not my speciality.

Any additional info woudl be great.

Thanks in advance, Scott

Re: OneView CERT

ChrisLynch — Fri, 16 Mar 2018 02:22:15 GMT

The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products. Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple. On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot. Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy. Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.

Re: OneView CERT

Romper — Fri, 13 Apr 2018 06:34:16 GMT

I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).

We too are using MS CA.

Re: OneView CERT

John Bigg — Fri, 13 Apr 2018 14:32:11 GMT

You need both Server AND Client authentication. Do you have both?

Re: OneView CERT

bronman — Fri, 25 May 2018 07:14:22 GMT

I have the same issue

Re: OneView CERT

John Bigg — Tue, 29 May 2018 12:34:19 GMT

You need to make sure that your CA honours the request for the EKU fields Server Authentication and Client Authentication. One or both of these are missing from the certificate generated by your CA.

Re: OneView CERT

Daniel-L — Fri, 01 Jun 2018 11:34:06 GMT

Hello Scott,

that's what I've got (after some lengthy discussion) from HPE support:

If you create a Certificate Signing Request (CSR) in OV, it will request the following usages:

X509v3 Key Usage:

Digital Signature, NonRepudiation, Key Encipherment

X509v3 Extended Key Usage:

TLS Web ServerAuthentication, TLS Web Client Authentication

If you submit this CSR to your CA, the resulting certificate should contain all these features.

Make sure, that your CA will generate a ceritifcate that includes ALL of above.

Had to get our CA team to try several times, until OneView was satisfied with the generated certificate.

Regards,

Daniel

Re: OneView CERT

Denialmix — Mon, 04 Jun 2018 20:27:04 GMT

Duplicate WebServer template, check ServerAuth and add ClientAuth, add Non Repudiation... add Template in your CA and Works!

Thanks!

Re: OneView CERT

CorbettEnders — Wed, 03 Feb 2021 16:50:25 GMT

Here's the steps for someone using a Microsoft cert authority in their windows domain.

Create the cert request from Oneview
1. Log into Oneview and from the NAV in the top left select Settings.
2. Click on Security
3. In the Actions menu top right, select Create appliance certificate signing request
4. Fill in the details and click OK to get the large text block containing the base64 encoded cert request.
5. Copy the cert request to your clipboard or save the text in Notepad.
Create a certificate template that OneView will be happy with.
1. On your Windows CA, open the "Certification Authority" app.
2. In the tree on the left side, right-click on Certificate Template and select Manage.
3. Scroll down to Web Server and right-click select Duplicate Template
4. On the General tab, tweak the names to your liking. I use "HPE OneView".
5. On the Extensions tab, click Application Policies and click Edit. Add Client Authentication. Click OK. You should now have both Server Authentication and Client Authentication.
6. On the same Extensions tab, click Key Usage and click Edit. Checkmark "signature is proof of origin (nonrepudiation)". Ensure Allow key exchange only with key encryption (key encipherment) radio button is selected. Click OK.
7. On the Security tab, apply read and enroll to whichever user account will be requesting the cert from this CA (ie: domain admins, your windows account, etc). I use my domain admin account.
8. Click OK/Apply and close editing that template.
9. Back at the main Certification Authority screen, right click again on the Certificate Template folder and select New -> Certificate Template to issue.
10. Choose the certificate template you just duplicated (in my case: HPE OneView).
11. Verify that you see it in the list.
Request the certificate from your CA using the new template
1. Open a web browser and navigate to your CA's webpage. In my case: http://dc09/certsrv
2. Click on "Download a CA Certificate, certificate Chain, or CRL
3. Select Base64 and click Download CA Certificate - Name it CA-cert.txt and save it somewhere.
4. Go back to the home page and click Request a Certificate
5. Click Advanced Certificate Request
6. Click Create and Submit a request to this CA.
7. Paste in the base64 text copied from step 1 and in Certificate Template select the template name you just created, in my case HPE OneView.
8. Click Submit.
9. Select Base64 encoded and click Download Certificate, save the file oneview.txt.
Import both the CA and the server certificate into Oneview.
1. Back on the Security settings page of OneView, click on Actions > Manage Certificates
2. Click Add Certificate
3. Using Notepad, open the CA-cert.txt file you downloaded in step 3-3 above. Copy and paste the base64 text into the dialog and then click Add.
4. Assuming no issues, close that page and then click Actions > Import Appliance certificate.
5. Open the oneview.txt cert downloaded in step 3-9 above and copy/paste the text into this Import cert dialog.
6. Click OK and if all goes well, no errors and the system will import the cert.

Next time you browse the page you should get a happy cert.

Re: OneView CERT

kpatelvno — Thu, 07 Mar 2024 18:48:58 GMT

Followed @CorbettEnders detailed directions, worked perfectly for us!

Only addition was giving the user that was doing the certificate intall enrollment rights on the certificate template.