ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

Lights-Out SSL stateOrProvinceName can't be changed

Chris de Vidal
Occasional Advisor

Lights-Out SSL stateOrProvinceName can't be changed

We have an in-house CA which signs all of our certificates. When I saw that our shiny new DL360 G3 has an Integrated Lights-Out (ILO) web interface with SSL and a certificate area, I thought I'd give it a go.

This is what I got:
[root@hjx-www-01 root]# openssl ca -in ilo.csr -out ilo.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Texas'
localityName :PRINTABLE:'Houston'
organizationName :PRINTABLE:'Hewlett-Packard Development Company'
organizationalUnitName:PRINTABLE:'ISS'
commonName :PRINTABLE:'ILOjaxflprint02'
The stateOrProvinceName field needed to be the same in the
CA certificate (Florida) and the request (Texas)

Looks like that information is hard-coded into the ILO controller.

I found this post:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=266708
which says that a SoftPaq has been issued for this problem in Insight Manager but I couldn't find a similar fix for the ILO.

I worked around this by editing /usr/share/ssl/openssl.cnf under [ policy_match ] where I set stateOrProvinceName and organizationName from match to optional.

Ideas how I can change it in the ILO?
/dev/idal