I have the same problem with our Synergy frame, and could not agree more with previous post. Please, any help would be appreciated! 

The question is simple, how to import missing .crl file?

Thank you.

I'm not sure why you want to get a CRL?  The Certificate Revocation List contains a list of certs that have been revoked.

I only see a Last Update and Next Update fields.

You need to create new certs to replace the expired ones.

> I tried to get this new cert into my HPOneView appliance. Security/Manager Certificates/Add Certificates

I'm not sure why it would need you to add a CRL?

>  I can find no way to open the CRL files and get the base64 cert text and there is no option to import a local file.

You can open the .CRL in Windows.  Or use:

openssl crl -inform der -in pca3-g5.crl -text -noout

So I would suggest you look for expiration dates for your certs and CA certs.

Unless it's related to you can't access the CRL?

https://github.com/HewlettPackard/POSH-HPOneView/issues/97

It is not. There are references to CRL files in both the release douments and the user manual, but nowhere does it show how to istall/import a CRL file.

As you can see in my inital post, the CRL file is what my OneView shows as expired - that is why I would assume that I need to replace it. 

> the CRL file is what my OneView shows as expired

Hmm, except the date fields in a CRL don't have "expired" in them, just "next update".

I don't know how much clearer I can get than this screen shot directly from my HPOneView appliance:

To upload a CRL file, go to Settings -> Manage certificates and then click on the little green pen icon on the certificate where the CRL is expired. You can then either drag and drop the CRL file you downloaded or browse to it in order to upload it.

Note that the CRL file takes effect immediately, although it can take up to an hour for the manage certificates page to show an OK state rather than CRL Expired.

John,

Im in total agreement with the person who started this thread.  OneView is so quirky, getting these obscure error messages.

I have tried to upload this .CRL file and stupid OneView says, I need a .CRL file

Here is the fix, delete the CRL that it is complaining about, in this case "VeriSign Class 3 Public Primary Certification Authority - G5"

I found a Symantec website that you can copy and paste the key to put it back in.

https://knowledge.symantec.com/support/mpki-for-ssl-support/index?page=content&id=SO5624&actp=LIST&viewlocale=en_US

Just copy and paste the key, and BOOM, all is well.

Hope it helps

> I don't know how much clearer I can get

The problem isn't you, it's in the message.  :-)

CRLs don't "expire".  And the message doesn't say how to fix it, AFTER you get the CRL from the web.

Is your appliance connected to the Internet?

Todd, I believe that the issue you saw with OneView reporting that a .crl file is needed even when a .crl file was selected is a known issue with certain versons of Firefox. Try using a different browser and you shouldn't see this and the crl file should work.

The best is to use a PowerShell script using the OneView library so that you can automate all the process.

See https://github.com/jullienl/HPE-Synergy-OneView-demos/blob/master/Powershell/OneView/Update%20all%20existing%20OneView%20CRLs.ps1

This script updates all existing CRLs present in Oneview identified as expired.