ProLiant Servers (ML,DL,SL)
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO3 1.26 Certificate error

NterSup
Occasional Collector

iLO3 1.26 Certificate error

DL380 G7 iLO FW : 1.26

 

When I import a certificate in iLO, I receive this message :

 

Error: The Certificate could not be imported from the supplied X.509 Certificate data.

Check the following:
- Make sure that the input text was base64 encoded X.509 Certificate data.
- Make sure that the input X.509 Certificate data was intended for this server (not another server).


The CSR has been generated on a Windows Server  2008 authority.

 

With iLO2 or iLO3 1.20, that works.

 

Can someone help me ?

 

 


 

21 REPLIES
Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

The cert is probably too big. Can you post it here?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
ViktorSylantiev
Occasional Advisor

Re: iLO3 1.26 Certificate error

I Have a same problem with import cert.

 

Why it imports in ILO2, and ILO3 1.20, and not imports in ILO3 1.26?

 

AlonsoRojas
Occasional Advisor

Re: iLO3 1.26 Certificate error

Hi Oscar

 

I am seeing the same issue with firmware 1.26 when the key is set for 2048, stating that the key size is too big, but with older firmware versions it works fine.

 

What could be casing this issue with this version?

Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

iLO3 stores the custom cert, public and private key in the same file in the NVRAM. The file is currently limited to 3Kb. On the other hand, iLO2 stored in the NVRAM the cert and keys in separate structures. This allowed the custom cert to be few bytes bigger in iLO2.  

Older iLO3 versions (before 1.20) only supported 1024bit keys for certs. In iLO3 1.20 and later, all custom certs contain 2048bit keys. 

I have requested the team to increase the size limit in iLO3 to match the iLO2 limit size.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
CMMWSP
Occasional Contributor

Re: iLO3 1.26 Certificate error

What would be the solution to allow the import of a certificate for ILO3 with firmware 1.26? I've tried both 1024 and 2048bit keys and neither work.

If it's due to a size limitation on the cert how would I generate a certificate that is small enough in size?
Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

Can you post here one of the certs?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
JoeBruneau
Visitor

Re: iLO3 1.26 Certificate error

I am having the same problem importing a certificate -  Same firmware using Windows Sever 2008 as the CA

ViktorSylantiev
Occasional Advisor

Re: iLO3 1.26 Certificate error

I can't  install this certificate:

-----BEGIN CERTIFICATE-----
MIIIjzCCBnegAwIBAgIKFn08HwAAAAhtGDANBgkqhkiG9w0BAQUFADBHMRMwEQYK
CZImiZPyLGQBGRYDaW50MRcwFQYKCZImiZPyLGQBGRYHc3VtYXRyYTEXMBUGA1UE
AxMOU3VtYXRyYUx0ZC1DQTEwHhcNMTIwMTE4MTI1NDAxWhcNMTQwMTE3MTI1NDAx
WjCBgzELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFzMRAwDgYDVQQHEwdIb3Vz
dG9uMSAwHgYDVQQKExdIZXdsZXR0LVBhY2thcmQgQ29tcGFueTEMMAoGA1UECxMD
SVNTMSIwIAYDVQQDExl2aXJ0dWFsNi5tZ210LnN1bWF0cmEuaW50MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxONynm83GhVqmylgt5h/8CExiiJ1ypwa
tkb/AwTP+Kd3sFq4fbSP3AXh/5hFluPl+t90fxP0mCwyTODvlXJ8TQqpGot8BFm5
Mhym3Qj5i1fBAIZZXpVAFvn10LWick40H2/+wpacY9W5Gd6fo3K40Y01JlVLv2vT
QhfpSSQzlCFMzM+tN3Fd/qg/WBMegJjzqQZ78ixQh1TDexzbF7wG6RtdZXvOvoSK
HfXzpWt81woFReR7mhTdhSbAxfSS3W7NcZYKjzE1vPYEq+/GGWHCqpQgIbF90a6W
W0GLFqw3OMzVkaFUojFXZM4eRW+9Jxb8JXxEjy3OlEwooSkj1kSmTwIDAQABo4IE
PjCCBDowLgYDVR0RBCcwJYIIdmlydHVhbDaCGXZpcnR1YWw2Lm1nbXQuc3VtYXRy
YS5pbnQwHQYDVR0OBBYEFIWkBDusD3vJ/aKuLwNdbo7Djwa3MB8GA1UdIwQYMBaA
FBt+sdUMFSPmFHfDEDPkk0Wg5oHsMIIBiAYDVR0fBIIBfzCCAXswggF3oIIBc6CC
AW+GgbFsZGFwOi8vL0NOPVN1bWF0cmFMdGQtQ0ExLENOPUNBMSxDTj1DRFAsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJh
dGlvbixEQz1zdW1hdHJhLERDPWludD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGNGh0dHA6Ly9j
YTEuc3VtYXRyYS5pbnQvQ2VydEVucm9sbC9TdW1hdHJhTHRkLUNBMS5jcmyGKWh0
dHA6Ly9jZXJ0LnN1bWF0cmEudWEvU3VtYXRyYUx0ZC1DQTEuY3Jshi9odHRwOi8v
Y2VydC5jb3NtZXRpYy5raWV2LnVhL1N1bWF0cmFMdGQtQ0ExLmNybIYnaHR0cDov
L2NlcnQua29zbW8udWEvU3VtYXRyYUx0ZC1DQTEuY3JsMIIBvQYIKwYBBQUHAQEE
ggGvMIIBqzCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPVN1bWF0cmFMdGQtQ0Ex
LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPXN1bWF0cmEsREM9aW50P2NBQ2VydGlmaWNhdGU/
YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MFAGCCsGAQUF
BzAChkRodHRwOi8vY2ExLnN1bWF0cmEuaW50L0NlcnRFbnJvbGwvQ0ExLnN1bWF0
cmEuaW50X1N1bWF0cmFMdGQtQ0ExLmNydDA1BggrBgEFBQcwAoYpaHR0cDovL2Nl
cnQuc3VtYXRyYS51YS9TdW1hdHJhTHRkLUNBMS5jcnQwOwYIKwYBBQUHMAKGL2h0
dHA6Ly9jZXJ0LmNvc21ldGljLmtpZXYudWEvU3VtYXRyYUx0ZC1DQTEuY3J0MDMG
CCsGAQUFBzAChidodHRwOi8vY2VydC5rb3Ntby51YS9TdW1hdHJhTHRkLUNBMS5j
cnQwCwYDVR0PBAQDAgWgMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcVCMiiK4XL
+lyE7YUtwrsRg5r9IIFngqzocYXOlAgCAWQCAQQwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOC
AgEAhhjjM5SbhbM+x7JQSxeKCSMfXKTVVq0H5h6MBC+YzwCoFHCZO8OT83y/8H4Y
P5ehK/6HtiRFTr/HV4ZfwDVfaf/J08vhm+CjiwUvfLvreyp1szioyIT3P0ZJFow9
CM1PxlhY0FPqWfPm7R7eTAc13ipwWQETQTUnD1A0eywIrSUfK1PsR+yp5BniMVu3
mRxiEWLM6IOSGY0qlZi5nnZyFKTxUXW6eEmgPHXECrdw4oEAMJSprMU9/zfxLob5
SzjzPM7Q1WleVW3sWydi6xMYJZftLpxe9Km+9JxJZ0ESw18Z2DMgDr0Gg1XiX/D9
Lx/jPwbWEcDQK6tPQuRASK+Rvw4cc093IUnboFc65ZA8SutUNJulv5+HYO8NDLo5
/pCeoBKMtoNEoDrl32u+Pz+xaeuMaMrHAzj74QdmXTNwHUVY8lCjce3OU6BMsAuu
TiRE7viFif1cTtwmxjHhlkALrR4cy0JTzHBYcMIjWna83NnUjC6LQSBVjlhvqOA/
y6d98Vod73CkmkN4pzRU/+lqCfnPDI1pSGkNKwa8VkNDlTPujpwBCMugXs6cNVOp
4iKhWQ17IeJQtydhMTIjhX680y07euFFW3/NiX7AGsmlh3NRImJLW/kwD8UTInf6
owuafVOQVgE7f8hCdV3vACC/luP3wziLMerQUYKrOj9XppE=
-----END CERTIFICATE-----

It have many CRL sources, and root CA have many CRL sources, and I think this was the reason that the certificate is not installed. But we needed all it sources.

Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

This cert cannot be imported because it is too big.  iLO3 only has 3Kb in the NVRAM to store imported certs. Can you make it leaner by unchecking the LDAP for CRL and AIA in the CA issuing your cert?




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
ViktorSylantiev
Occasional Advisor

Re: iLO3 1.26 Certificate error

I can not, because We use them all. If I turn them off - I have reissued all certificates in the company, and this is unacceptable. ILO2 works well with such certificates. It is a pity that the new version get the new restrictions.

JoeBruneau
Visitor

Re: iLO3 1.26 Certificate error

I am seeing the same problem and the certificate I am using is only 2.75KB.

Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

iLO does not use those LDAP fields you have in CRL and AIA so, including these fields in Certs destinated to your iLOs is a waste of space.

I guess, you could request your CA to create a separate template for your iLOs, a template without these extra LDAP fields.

 

From my side, I have formally requested the iLO team to increase the max size of certs to match what iLO2 accepts. They are evaluating the impact of increasing NVRAM usage in iLO3 and other needed code changes. I will post an update as soon as I get the final answer from the team.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
ViktorSylantiev
Occasional Advisor

Re: iLO3 1.26 Certificate error

Thank you, we will wait.

UserHP
Occasional Visitor

Re: iLO3 1.26 Certificate error

Are there any news regarding this issue? My certificate has only 2,84 KB but I also receive the "Error: The Certificate could not be imported from the supplied X.509 Certificate data."

I think this will end up in a new ILO firmware (v1.27) ?

UserHP
Occasional Visitor

Re: iLO3 1.26 Certificate error

Hi,

 

with the newest ILO Firmware v1.61 from Aug 01 2013 I still have this issue. I still receive

 

Error: The Certificate could not be imported from the supplied X.509 Certificate data.

Check the following: 
- Make sure that the input text was base64 encoded X.509 Certificate data.
- Make sure that the input X.509 Certificate data was intended for this server (not another server).

 

Is this bug still not fixed yet??? It´s really urgent!

Torsten.
Acclaimed Contributor

Re: iLO3 1.26 Certificate error

The current firmware is 1.65, try this.


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
UserHP
Occasional Visitor

Re: iLO3 1.26 Certificate error

Where to get? The Download Area of HP ILO is frustrating. The vcagent only offers the v1.61 as latest version.

Torsten.
Acclaimed Contributor

Re: iLO3 1.26 Certificate error

www.hp.com

-> support -> drivers

-> search for "ilo-3"

-> select windows

download the file, extract it, use the *.bin file directly on the ILO web interface.

http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=4154847&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalState%3Didx%253D%257CswItem%253DMTX_abf6391893fc490fa687b76d4c%257CswEnvOID%253D4138%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253DdriverDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vig...

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
UserHP
Occasional Visitor

Re: iLO3 1.26 Certificate error

Nope, doesn´t work also on v1.65. Doesn´t it support key length of 2048 or what crap is that SSL implementation on ILO?!?

Oscar A. Perez
Honored Contributor

Re: iLO3 1.26 Certificate error

iLO3 does support 2048 bit key. I would need to see the cert to find out what iLO doesn't like about it. Please send it to me via PM




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Jezzaaaa
Occasional Visitor

Re: iLO3 1.26 Certificate error

Same problem here.  2.8k certificate file (base-64) on iLO3 v1.65.