ProLiant Servers (ML,DL,SL)
1745791 Members
3804 Online
108722 Solutions
New Discussion

iLO certifcate Subject Alternative Name no longer generated

 
SOLVED
Go to solution
NJK-Work
Honored Contributor

iLO certifcate Subject Alternative Name no longer generated

Hello,

In the past when I generated a CSR from an iLO, it would include the HOSTNAME as a subject alternative name for the certificate (non-FQDN format).  So if my server is SERVERX and my domain is MYDOMAIN.COM, it would generate a CSR with these names:

serverx.mydomain.com

serverx

Howerver, this is no longer the case.  Being the lazy admin that I am , I usually just connect to the iLO via the hostname instead of the FQDN.  In the past, this was fine since the hostname was in the Subject Alternative Name - but this is now broken and I get a CERT error when I connect not using the FQDN.

Did something change with the ILO firmware that makes is so this is no longer being generated?  I am using an iLO 4 with 2.22 and 2.20 (ProLiant Gen9) - I have not tried the lasted firmware yet (which I think is 2.30).  I am pretty sure nothing changed with our CA - but I am not a expert in this area, so I really dont know for sure.  I am using the template I have used for years from our CA.

Thanks

NK

1 REPLY 1
NJK-Work
Honored Contributor
Solution

Re: iLO certifcate Subject Alternative Name no longer generated

I finally found a solution for this - at least as long as you are using a Microsoft AD CA server.  I had to use the "Additional Attributes" field in the certificate request form.  So create the custom certficate request in the iLO as normal - it will generate a CSR using the FQDN of the iLO.  Then when submitting that request to CA, add the following to the attributes field:

san:dns=IPADDRESS&dns=ILONAME

Where IPADDRESS is the IP address of the iLO and ILONAME is the non-FQDN name of the iLO in DNS.  For example if your iLO is MYSERVERILO using IP address of 10.1.1.1 and the FQDN is MYSERVERILO.MyCorp.com, you will get a certifcate with the Subject name of (which comes from the iLO):

MYSERVERILO.MyCorp.com

and Subject Alternative Names of:

10.1.1.1 and MYSERVERILO

So all three names will work without a certifcate error.

Hope this helps others.

NK