topic Re: Increase Public Key size to RSA4096 in certificate signing request in HPE OneView

Increase Public Key size to RSA4096 in certificate signing request

Lenny_Juarbe — Mon, 09 Jul 2018 16:28:17 GMT

Hello,

I am trying to import CA signed certs for my OneView 4.00.9 appliances. My CA admin was able to add the correct template with the following:

X509v3 Key Usage:
Digital Signature, NonRepudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web ServerAuthentication, TLS Web Client Authentication

However, when submitting the request it complained about the Public Key size. Apparently our policy is to use RSA 4096 bits.

Question is how do you increase the Public Key size in the request to 4096?

Any help is greatly appreciated.

Re: Increase Public Key size to RSA4096 in certificate signing request

ChrisLynch — Mon, 23 Jul 2018 18:34:37 GMT

Unfortunately, it is not possible to create a CSR with 4096 key length today. With HPE OneView 4.10 and the appliance put into CNSA Mode (which can break communication with legacy and older systems that cannot support the stronger encryption and cyphers), the CSR would generate a 3072 bit length key.

Re: Increase Public Key size to RSA4096 in certificate signing request

Lenny_Juarbe — Tue, 24 Jul 2018 06:17:02 GMT

Thank you Chris for the reply.

Just so I understand you correctly, with CNSA Mode the strongest encryption the appliance will generate is 3072 bits. Is it then possible to generate a csr using openssl with the key size set to 4096 and import the cert? In other words, does OneView accept/support certs with a 4096 bit Public key size generated by a csr outside of the appliance's own mechanism?

Re: Increase Public Key size to RSA4096 in certificate signing request

ChrisLynch — Tue, 24 Jul 2018 16:38:49 GMT

Unfortunately no. HPE OneView must generate the CSR today. We do not have a method to import both the private and publicly signed key to the appliance.

Re: Increase Public Key size to RSA4096 in certificate signing request

Thomas24 — Tue, 19 May 2020 16:48:54 GMT

Are there any changes until today.

I saw the option over the GUI to use 3072bit but our company policiy only allows key kength of at least 4096

Is there a way to create manually and import Certificates using 4096bits now?

Re: Increase Public Key size to RSA4096 in certificate signing request

TravellingKiwi — Thu, 03 Sep 2020 15:45:29 GMT

Plus 1 on this... We are in pretty much the same boat.

Has this been 'fixed' yet (OneView 5.3) - The docs would suggest it hasn't...

Re: Increase Public Key size to RSA4096 in certificate signing request

DanCernese — Thu, 03 Sep 2020 15:50:26 GMT

Not in HPE OneView 5.3 or 5.4 (next week). It is in the backlog though.

Re: Increase Public Key size to RSA4096 in certificate signing request

Daniel_Ufer — Tue, 07 Sep 2021 11:22:02 GMT

I have version 6.20.00-0443754 and still the same problem. 2048 bit for default or 3072 bits for CNSA compatible certificates. Is there an option to create a 4096 bit key/request now?

Regards, Daniel

Re: Increase Public Key size to RSA4096 in certificate signing request

ChrisLynch — Wed, 08 Sep 2021 19:56:08 GMT

We have not had many customers request 4k cert key length, only to reduce it to 2k. Is this a hard requirement for your organization?

Re: Increase Public Key size to RSA4096 in certificate signing request

JT77_CB — Mon, 01 Aug 2022 11:55:04 GMT

@ChrisLynch .

Hi Chris,

I'm infratructure engineer from Germany. My company will allow certificate templates with least RSA public keys 3072/4096bit after October 2022 depends to Federal Office for Information Security (BSI) "BSI TR-02102-1: "Cryptographic Mechanisms: Recommendations and Key Lengths" Version: 2022-1 " by January 2022. BSI recommened to use RSA keys hihger then 3000bit. I guess more german companies with HPE related hardware will get in this rsa key issue.

I'm running HPE Oneview 6.6 due still existing blade enclosures and BL460C Gen9.

So my question is is there a possibility to get CSR with 4096bit, also ILO 4+5 certificates which support 4096bit rsa public key?

Many Thanks Jens

Re: Increase Public Key size to RSA4096 in certificate signing request

ChrisLynch — Mon, 01 Aug 2022 17:42:40 GMT

We are working on a feature that will allow you to import the private and signed key via the REST API. That means you can generate the CSR outside of OneView, submit to your issuing CA, then import both in PCKS#12 format. I don't have an ETA that I can share publically.

Re: Increase Public Key size to RSA4096 in certificate signing request

JT77_CB — Fri, 05 Aug 2022 09:09:25 GMT

@ChrisLynch

Thanks for response Chris.

Can I assume that also the ILO FW will contains the CSR request generate function with 4096bit?

Re: Increase Public Key size to RSA4096 in certificate signing request

mc1903-2 — Mon, 27 Mar 2023 11:55:30 GMT

@JT77_CB I've stumbled across your post trying to find a solution for creating an iLO 5 certificate with a RSA key size greater than 2048 bits.

As far as I can workout through research and testing with an iLO 5 running firmware version 2.78 (latest as of today) there is NO support for iLO certificates with an RSA key size greater than 2048 bits.

CSR generation via the iLO GUI or PowerShell does not ask for keysize input - it's fixed at 2048 bits.

The iLO GUI offers an "Import an SSL Certificate & Private Key" option, but when I manually created a CSR using OpenSSL with a RSA key size of 4096 bits, the import failed with the error "SSL certificate could not be imported since the input key is not supported with the configured iLO security state. Verify the input key is either 384-bit ECDSA key in CNSA security state or 2048-bit RSA key in other security states."

HPE is not alone in this respect. Over the past 10 years, I have found most server/storage vendors remain way behind the times when it comes to any certificate related operations within their products.

It simply has never been given it the importance it should have had from day #1 and that will never change now, as most sheeple are dumb & happy enough to live with self-generated/self-signed certs.

[rant] Nothing will change until vendors are forced (shamed?) to stop relying on self-signed certs in their products and users are forced to use a 'real' CA to provide signed certificates as a mandatory part of the initial service bring up process. [/rant]

Re: Increase Public Key size to RSA4096 in certificate signing request

JT77_CB — Thu, 11 May 2023 06:04:11 GMT

Knahh another server hardware vendor also from the States can handle RSA4096 Keys, company name have 4 letters ,begins with D and ends with L

But better a RSA2048 key certificate imported then selfsigned rubbish;)

Re: Increase Public Key size to RSA4096 in certificate signing request

Jef_Paris — Thu, 31 Oct 2024 09:19:33 GMT

Hello, any news on this ?

Even Superm**** allow 4096 keys.

Re: Increase Public Key size to RSA4096 in certificate signing request

NikoP — Fri, 05 Sep 2025 13:35:24 GMT

we tried to use the workaround but ILO does not support more than 3k certs. is there any planing to fixit. as 2k certs is not sufficent.

any updates or planing? Thanks

Re: Increase Public Key size to RSA4096 in certificate signing request

Koichiro — Thu, 11 Sep 2025 15:09:28 GMT

iLO6 has been supporting ECDSA p384 in higer security modes and recently iLO6 v1.70 made it available in the Production mode as well.
https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-994a0b6ce04a44b9&tab=Enhancements

iLO7 v1.17.00 also made ECDSA p384 available in the Secure Standard Mode and updated its default key to be RSA4K-bit key.
https://support.hpe.com/connect/s/softwaredetails?language=en_US&collectionId=MTX-50cf5a2572824156&tab=Enhancements

Hope this helps.