- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: OneView CERT
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2018 01:58 PM
тАО03-15-2018 01:58 PM
I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.
I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.
I keep getting the below error message: The certificate is not valid
Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication
Resolution Provide a valid certificate with EKU field set as specified
If the issue persists, Create a support dump and contact your authorized support representative for assistance.
Please advise...
Scott
Solved! Go to Solution.
- Tags:
- certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2018 03:14 PM - edited тАО03-15-2018 03:15 PM
тАО03-15-2018 03:14 PM - edited тАО03-15-2018 03:15 PM
Re: OneView CERT
The message is quite clear what is wrong. The SSL certificate you created must contain the Server Authentication attribute set. Take a look at the screenshot of a certificate deployed on my appliance.
I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2018 07:11 PM
тАО03-15-2018 07:11 PM
Re: OneView CERT
Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.
So I generated the certificate request through the "Guided Section" area on my OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.
Thanks for any assistance. As you can tell, cert management is not my speciality.
Any additional info woudl be great.
Thanks in advance, Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2018 07:22 PM
тАО03-15-2018 07:22 PM
Re: OneView CERT
The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products. Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple. On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot. Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy. Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-12-2018 11:34 PM
тАО04-12-2018 11:34 PM
Re: OneView CERT
I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).
We too are using MS CA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-13-2018 07:32 AM
тАО04-13-2018 07:32 AM
Re: OneView CERT
You need both Server AND Client authentication. Do you have both?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-25-2018 12:14 AM
тАО05-25-2018 12:14 AM
Re: OneView CERT
I have the same issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-29-2018 05:34 AM
тАО05-29-2018 05:34 AM
Re: OneView CERT
You need to make sure that your CA honours the request for the EKU fields Server Authentication and Client Authentication. One or both of these are missing from the certificate generated by your CA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-01-2018 04:34 AM
тАО06-01-2018 04:34 AM
SolutionHello Scott,
that's what I've got (after some lengthy discussion) from HPE support:
If you create a Certificate Signing Request (CSR) in OV, it will request the following usages:
X509v3 Key Usage:
Digital Signature, NonRepudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web ServerAuthentication, TLS Web Client Authentication
If you submit this CSR to your CA, the resulting certificate should contain all these features.
Make sure, that your CA will generate a ceritifcate that includes ALL of above.
Had to get our CA team to try several times, until OneView was satisfied with the generated certificate.
Regards,
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-04-2018 01:27 PM
тАО06-04-2018 01:27 PM
Re: OneView CERT
Duplicate WebServer template, check ServerAuth and add ClientAuth, add Non Repudiation... add Template in your CA and Works!
Thanks!