HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView CERT

Scott Caryer
Advisor

OneView CERT

I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.

I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.

I keep getting the below error message: The certificate is not valid

Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication

Resolution Provide a valid certificate with EKU field set as specified

If the issue persists, Create a support dump and contact your authorized support representative for assistance.

Please advise...

Scott

 

5 REPLIES
ChrisLynchHPE
Neighborhood Moderator

Re: OneView CERT

The message is quite clear what is wrong.  The SSL certificate you created must contain the Server Authentication attribute set.  Take a look at the screenshot of a certificate deployed on my appliance.Cert Enhanced Key Usage.png

I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA 

Web Server CA Template.png

 

Scott Caryer
Advisor

Re: OneView CERT

Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.

So I generated the certificate request through the "Guided Section" area on my  OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.

Thanks for any assistance. As you can tell, cert management is not my speciality.

Any additional info woudl be great.

Thanks in advance, Scott

 

 

ChrisLynchHPE
Neighborhood Moderator

Re: OneView CERT

The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products.  Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple.  On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot.  Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy.  Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.

Romper
Visitor

Re: OneView CERT

I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).

We too are using MS CA.

John Bigg
Esteemed Contributor

Re: OneView CERT

You need both Server AND Client authentication. Do you have both?