HPE Community
HPE OneView
1751967 Members
4619 Online
108783 Solutions
New Discussion

Re: OneView CERT

 
SOLVED
Go to solution
Scott Caryer
Frequent Advisor

‎03-15-2018 01:58 PM

‎03-15-2018 01:58 PM

OneView CERT

I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.

I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.

I keep getting the below error message: The certificate is not valid

Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication

Resolution Provide a valid certificate with EKU field set as specified

If the issue persists, Create a support dump and contact your authorized support representative for assistance.

Please advise...

Scott

 

2 people had this problem.
0 Kudos
Reply
11 REPLIES 11
ChrisLynch
HPE Pro

‎03-15-2018 03:14 PM - edited ‎03-15-2018 03:15 PM

‎03-15-2018 03:14 PM - edited ‎03-15-2018 03:15 PM

Re: OneView CERT

The message is quite clear what is wrong.  The SSL certificate you created must contain the Server Authentication attribute set.  Take a look at the screenshot of a certificate deployed on my appliance.Cert Enhanced Key Usage.png

I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA 

Web Server CA Template.png

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Scott Caryer
Frequent Advisor

‎03-15-2018 07:11 PM

‎03-15-2018 07:11 PM

Re: OneView CERT

Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.

So I generated the certificate request through the "Guided Section" area on my  OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.

Thanks for any assistance. As you can tell, cert management is not my speciality.

Any additional info woudl be great.

Thanks in advance, Scott

 

 

0 Kudos
Reply
ChrisLynch
HPE Pro

‎03-15-2018 07:22 PM

‎03-15-2018 07:22 PM

Re: OneView CERT

The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products.  Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple.  On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot.  Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy.  Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Romper
Visitor

‎04-12-2018 11:34 PM

‎04-12-2018 11:34 PM

Re: OneView CERT

I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).

We too are using MS CA.

0 Kudos
Reply
John Bigg
Esteemed Contributor

‎04-13-2018 07:32 AM

‎04-13-2018 07:32 AM

Re: OneView CERT

You need both Server AND Client authentication. Do you have both?

Reply
bronman
Occasional Visitor

‎05-25-2018 12:14 AM

‎05-25-2018 12:14 AM

Re: OneView CERT

I have the same issue

0 Kudos
Reply
John Bigg
Esteemed Contributor

‎05-29-2018 05:34 AM

‎05-29-2018 05:34 AM

Re: OneView CERT

You need to make sure that your CA honours the request for the EKU fields Server Authentication and Client Authentication. One or both of these are missing from the certificate generated by your CA.

0 Kudos
Reply
Daniel-L
Advisor

‎06-01-2018 04:34 AM

‎06-01-2018 04:34 AM

Solution

Re: OneView CERT

Hello Scott,

that's what I've got (after some lengthy discussion) from HPE support:

If you create a Certificate Signing Request (CSR) in OV, it will request the following usages:

            X509v3 Key Usage:

                Digital Signature, NonRepudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web ServerAuthentication, TLS Web Client Authentication

If you submit this CSR to your CA, the resulting certificate should contain all these features.

Make sure, that your CA will generate a ceritifcate that includes ALL of above.

Had to get our CA team to try several times, until OneView was satisfied with the generated certificate.

Regards,

Daniel

 

0 Kudos
Reply
Denialmix
Occasional Advisor

‎06-04-2018 01:27 PM

‎06-04-2018 01:27 PM

Re: OneView CERT

Duplicate WebServer template, check ServerAuth and add ClientAuth, add Non Repudiation... add Template in your CA and Works!

Thanks!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.