Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL certificate config on Comware v7

spgsitsupport
Frequent Advisor

SSL certificate config on Comware v7

Looking here it shold be easy:

http://hpnetworkers.blogspot.co.uk/2012/02/hp-series-h3c-comware-https-howto-with.html

I do NOT want to use the default generated certificate for https!

So I follow the instructions & eventually request vertificate, but get error:

[HPE5900-SR1]pki request-certificate domain **********
Certificate request failed: No key pair specified for the PKI domain.

Anybody has instructions that will work?

Seb

3 REPLIES
spgsitsupport
Frequent Advisor

Re: SSL certificate config on Comware v7

I have a case opened with

GSD_GSC_Case_Mgmt_Prod <gsd_csc_case_mngmt@hpe.com>

for the second week, with no solution.

Managed to get certificate issued by local MS ADCA, but that was Network Device Enrollment Service (NDES) certificate which DOES NOT work for HTTPS.

What was required:

public-key rsa general name xxx length 2048

pki request-certificate domain "domain-name" password "password"

(where password is generated by ADCA http://localhost/certsrv/mscep_admin as per https://technet.microsoft.com/en-us/library/cc755273%28v=ws.11%29.aspx )

Still could not get proper answer how to request proper SSL web server certificate OR how to import wildcard certificate issued by external CA

Horrendous experience! Horrible support (in UK Level 2) that has NO TEST environment!

Shame on you HPE!

spgsitsupport
Frequent Advisor

Re: SSL certificate config on Comware v7

Eventually had BUG confirmed for BOTH issues by HPE support.

So maybe in next release...

spgsitsupport
Frequent Advisor

Re: SSL certificate config on Comware v7

OK, let me now recap what needs to be done for this to work.

A plain blank never used SCEP/NDES server will do just fine.

 But one needs to assume that customer might use such server for something else.

 Which was the case in my setup. I use SCEP server to request certificate by Apple iDevices (iPad/iPhone) for wireless network access, using custome template which does NOT have Server Authentication configured

 Hence the settings on my SCEP server were for the very purpose & created certificate did not work

 To make sure that certificate obtained from SCEP server is good for SSL  one needs to configure correct template in

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate

 Preferably one that has Server Authentication configured

 Good read is here:

https://blog.warcop.com/2013/06/27/ndes-server-configuration-for-scep-cisco-asa-scep-proxy/

 

One that was configured in that way, then simple set of commands did get certificate

 

pki domain domainA1

ca identifier NameOfCA

certificate request url http://EnterpriseCA.domainA1.local/certsrv/mscep/mscep.dll

certificate request from ra

certificate request entity hpe5900-sr1

crl url http://EnterpriseCA.domainA1.local/CertEnroll/whatever_is_configured.crl

#

pki entity hpe5900

common-name HPE5900.domainA1.local

country GB

#

ssl server-policy domainA1-ssl

pki-domain domainA1

 

undo ip https enable

 [HPE5900-pki-domain-domainA1]public-key rsa general name BG length 2048

quit

 pki retrieve-certificate domain doaminA1 ca

 pki request-certificate domain doaminA1 password 2A792FF083164D59 (password as obtained from CA http://ndes_server/certsrv/mscep_admin)

 ip https ssl-server-policy domainA1-ssl

 ip https enable