topic Re: Upload CA Signed OneView Certificate in HPE OneView

Upload CA Signed OneView Certificate

bradawk1 — Thu, 10 Aug 2023 03:57:01 GMT

I'm having a little trouble with the last part of renewing our OneView appliance server certficate. I can generate the CSR and submit it to our CA for signature. I get back the signed certificate in base64 encoded format and paste into <oneview hostname>.cer.

SCRT=<oneview hostname>.cer # Change the line feeds to '\n': SCRTN=$(cat ${SCRT} | awk '{ printf "%s\\n", $0 }') # Add a leading newline: SCRTN="\n${SCRTN}" # # Post to the OneView appliance: CERTURI=$(curl --insecure --silent \ --header "content-type: application/json" \ --header "X-API-Version" ${currentVersion}" \ --header "auth: ${sessionID}" \ --data '{ "base64Data":"${SCRTN}" }' \ --request PUT ${OneView}/rest/certificates/https | jq -r '.uri') # # Check the task status: curl --insecure --silent \ --header "X-API-Version" ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}${CERTURI} | jq -r '.' #

It always says the certificate is not a valid X.509 certificate. The API Reference shows the newlines are replaced with '\n' in the certificate uploaded. If I upload the certificate via the gui, it works. So, what am I doing wrong?

Re: Upload CA Signed OneView Certificate

ChrisLynch — Wed, 09 Aug 2023 16:13:32 GMT

As long as you have the base64 value of the certificate in string format, you do replace the EOL with "\n". Do not forget to include the ending "\n" after the "---END CERTIFICATE---" keyword.

Can you provide an example of the certificate here? Feel free to replace specific letters to alternate values, or other ways to obscure the text of the body without making it difficult to review the overall format.

Re: Upload CA Signed OneView Certificate

bradawk1 — Thu, 10 Aug 2023 09:22:18 GMT

Hi Chris,

Those servers are not connected to the Internet. I'd have to re-type and would most likely make lots of typos anyway. It is a valid certificate. If I run:

cat ${SCRT} | openssl x509 -noout -text

I get valid certificate information. The awk command takes each line, prints it and adds a '\n' at the end. Since it is a printf function, no automatic line feed is printed. So, it all winds up on one line with '\n' in place of the line feeds. The next line (of my code) just adds a '\n' at the begginning. If I run:

echo ${SCRTN} | wc -l

I get 1 which is what I would expect. It is one line.

I went back and looked at the Vs 5000 REST API Reference and in the Request Body, base64Data section, it shows format-----BEGIN CERTIFICATE----- encoded data here -----END CERTIFICATE-----. Which to my reading implies no '\n's at all. So, I tried it that way. Still get back not a valid X.509 format.

Re: Upload CA Signed OneView Certificate

bradawk1 — Thu, 10 Aug 2023 11:22:06 GMT

When I downloaded the current certificate from the appliance, it had a single space every where one would expect a newline (or '\n'). So, I tried uploading in that format, but still got the same error.

Re: Upload CA Signed OneView Certificate

bradawk1 — Fri, 11 Aug 2023 13:16:25 GMT

Also, related: I tested this from four of our OneView appliances. Downloaded the current server certificate with:

curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" \ --request GET ${OneView}/rest/certificates/https | jq -r '.base64Data'

and for each one I get two certificates. One is the one I got signed by our CA. The other says it is signed by our CA but it has a serial number much shorter than we normally see and the lifetime of the certificate is much longer than we normally get. Any idea what the second certificate is? Do I need it? If not, how do I remove it? In the gui, how do I see the server certificates downloaded from this REST location?

Re: Upload CA Signed OneView Certificate

MV3 — Mon, 14 Aug 2023 04:45:00 GMT

Hello,

To delete the cretificates below are the steps.

Log into the OneView User Interface (UI).
Select OneView -> Settings.
Scroll under "Security" and click the "Manage Certificates" link.
Delete the unwanted certificate.
Wait for the deletion(s) to be completed.
Close the UI.

We are not sure about the certificate you are talking about. We would suggest you to review the certificate and then delete it if it is not required.
Cheers...

Re: Upload CA Signed OneView Certificate

bradawk1 — Wed, 16 Aug 2023 08:50:17 GMT

@MV3 @ChrisLynch OK, a few things:

My topic is about using the REST API. I have two related questions. If the answer to the second one is to use the GUI, then that is fine.
My most pressing issue is in regards to the appliance server certificate. I'm trying to upload a signed certifcate using PUT ${OneView}/rest/certificates/https, but it always tells me that the certificate is invalid when I know it is valid. I've tried changing all of the new lines to '\n' and ' ' and neither worked.
When pulling the current appliance server certificate using GET ${OneView}/rest/certificates/https I get two certificates. One is valid, the other looks almost valid, but has some discrepancies. So, trying to figure out what the second one is?
Two things about the gui path you depicted:
1. I've never seen the appliance certificate in that path.
2. It only shows the first 100 certificates. I'm not sure how to see the rest?
3. I do see the appliance certificate OneView -> Settings -> Security and scroll down to Appliance certificate. There I only see the current signed certificate, not two. So, just trying to figure out what is the second certificate; do I need it?; if not, how to get rid of it?

Re: Upload CA Signed OneView Certificate

bradawk1 — Fri, 08 Sep 2023 06:12:07 GMT

@ChrisLynch @MV3 Here is an example certificate. How would the JSON be formatted to upload it?

{"base64Data":...}

If I am reading the documentation correctly, it should look like:

{"base64Data":"\n-----BEGIN CERTIFICATE-----\nMIIFEDCCBLagAwIBAgIQD1oKDuqLztsPaAHCwdd2cjAKBggqhkjOPQQDAjBKMQsw\nCQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX\nQ2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwODIwMDAwMDAwWhcNMjMxMTE4\nMjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG\nA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET\nMBEGA1UEAxMKbWVkaXVtLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmN\n6bdL+wPlikrkF3XNe7TLzPwTG5u6EyFABcu8AURgBjWsuL9q7LsrvMY9WDdJTc3O\nJbx13wqyKn6FA0DrLESjggNcMIIDWDAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF\n+tkkEIeWHzAdBgNVHQ4EFgQUfJstVdrm+yFLKIDeNkIkp71B/kIwIwYDVR0RBBww\nGoIKbWVkaXVtLmNvbYIMKi5tZWRpdW0uY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNV\nHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYDVR0fBHQwcjA3oDWgM4YxaHR0\ncDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA3\noDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0ND\nQS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRw\nOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUF\nBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6\nLy9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcnQw\nDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYArfe++nz/\nEMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKEIHUjgAABAMARzBFAiAJusYm\nusT8WdhtcpIzTxF2V8fTAHUJPO+Ei/qhLMWxDgIhANl8UPWVCnJv4X+9QNMGgYDx\ngLGfrAXwSsXWOB/oj/nRAHQAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS\n61IAAAGKEIHT9AAABAMARTBDAh86EJCJ4tO/3XPee4v2MJTlBj6SB4drOm3k0XWV\nzdxeAiACJ48gSLa/YlNJgynpMjhI+UQTdXY9q7nbLgg77YHfCQB3ALc++yTfnE26\ndfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABihCB0/IAAAQDAEgwRgIhAPWdvDFG\nVm4rBPPFS5Hy8ozItrQZ8XGwrPIHKkQZ+ID0AiEAnq1e22khS+2dubbMpunr95Hx\n3eeINIJQHANMJ9sFBkcwCgYIKoZIzj0EAwIDSAAwRQIgZBgqdHAa5+TdP+Dq3dBb\nbZul+threyO+SVaKuj5vWlACIQCCca3F+VMJxo44/bUvN3OavgvwAdmQ0GfWuaNz\nIRTi3A==\n-----END CERTIFICATE-----\n"}

but that does not work. I've tried without the leading and trailing '\n' but that also does not work.

Re: Upload CA Signed OneView Certificate

bradawk1 — Fri, 08 Sep 2023 10:12:21 GMT

I figured it out. In my original code, I had specified the data portion of the curl command as:

--data '{ "base64Data":"${SCRTN}" }'

when I put that value in a variable and then just sent the variable:

SCRT=<oneview hostname>.cer # Change the line feeds to '\n': SCRTN=$(cat ${SCRT} | awk '{ printf "%s\\n", $0 }') # Add leading '\n': SCRTN="\\n${SCRTN}" # DATA='{ "base64Data":"${SCRTN}" }' # # Post to the OneView appliance: CERTURI=$(curl --insecure --silent \ --header "content-type: application/json" \ --header "X-API-Version" ${currentVersion}" \ --header "auth: ${sessionID}" \ --data "${DATA}" \ --request PUT ${OneView}/rest/certificates/https | jq -r '.uri') # # Check the task status: curl --insecure --silent \ --header "X-API-Version" ${currentVersion}" \ --header "auth: ${sessionID}" \ --request GET ${OneView}${CERTURI} | jq -r '.' #

It worked. Not sure why that would make a difference?