HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView CERT

 
Scott Caryer
Advisor

OneView CERT

I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.

I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.

I keep getting the below error message: The certificate is not valid

Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication

Resolution Provide a valid certificate with EKU field set as specified

If the issue persists, Create a support dump and contact your authorized support representative for assistance.

Please advise...

Scott

 

9 REPLIES
ChrisLynchHPE
Neighborhood Moderator

Re: OneView CERT

The message is quite clear what is wrong.  The SSL certificate you created must contain the Server Authentication attribute set.  Take a look at the screenshot of a certificate deployed on my appliance.Cert Enhanced Key Usage.png

I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA 

Web Server CA Template.png

 

Scott Caryer
Advisor

Re: OneView CERT

Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.

So I generated the certificate request through the "Guided Section" area on my  OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.

Thanks for any assistance. As you can tell, cert management is not my speciality.

Any additional info woudl be great.

Thanks in advance, Scott

 

 

ChrisLynchHPE
Neighborhood Moderator

Re: OneView CERT

The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products.  Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple.  On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot.  Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy.  Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.

Romper
Visitor

Re: OneView CERT

I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).

We too are using MS CA.

John Bigg
Esteemed Contributor

Re: OneView CERT

You need both Server AND Client authentication. Do you have both?

bronman
Occasional Visitor

Re: OneView CERT

I have the same issue

John Bigg
Esteemed Contributor

Re: OneView CERT

You need to make sure that your CA honours the request for the EKU fields Server Authentication and Client Authentication. One or both of these are missing from the certificate generated by your CA.

Daniel-L
Frequent Visitor

Re: OneView CERT

Hello Scott,

that's what I've got (after some lengthy discussion) from HPE support:

If you create a Certificate Signing Request (CSR) in OV, it will request the following usages:

            X509v3 Key Usage:

                Digital Signature, NonRepudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web ServerAuthentication, TLS Web Client Authentication

If you submit this CSR to your CA, the resulting certificate should contain all these features.

Make sure, that your CA will generate a ceritifcate that includes ALL of above.

Had to get our CA team to try several times, until OneView was satisfied with the generated certificate.

Regards,

Daniel

 

Denialmix
Occasional Contributor

Re: OneView CERT

Duplicate WebServer template, check ServerAuth and add ClientAuth, add Non Repudiation... add Template in your CA and Works!

Thanks!