Server Management - Remote Server Management
1748202 Members
3039 Online
108759 Solutions
New Discussion юеВ

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

 
Stanley Yau
Occasional Contributor

Can iLO2 Advanced generate 2048 bit CSR requests?

Hello!

We're trying to get the built-in iLO 2 (with Advanced activated) from a ProLiant ML350 G6 server to generate a new Certificate Request for signing.

However, we are required to generate a CSR using a key that is 2048 bits or higher. Does iLO 2 (firmware v2.05) support this?
10 REPLIES 10
Oscar A. Perez
Honored Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

iLO2 supports 1024 bit CSR request only.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Stanley Yau
Occasional Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

Thanks for the reply. Helps to close the issue, but it's somewhat disappointing that only 1024 bit length keys are used.

Shame, as I believe that the general guidance is for third-party certification authorities to start transitioning towards a minimum of 2048 bit length.

I can get our CA to manually generate using the 1024 bit generated key...
John Averett
New Member

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

Stanley,
Sorry for jumping in on your thread but was hoping Omar would reply back to my question. I have same issue as you in regards to I need 2048 bit certificate but iLo2 only supports 1024. I'm hoping Omar could provide more information in regards to if and when HP would provide 2048 bit support.

Thanks,

John
Oscar A. Perez
Honored Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

The limitation is within the SSL library that iLO2 is using for its webserver. This library only supports 1024 bits.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
John Averett
New Member

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

Omar,

Thanks. Do you know if HP has anything in the works in regards to updating the SSL library in later releases of iLo? I support a DoD Client and they have been mandated to move away from 1024 bit SSL certs. They still provide the capability to sign 1024 certs but require documentation as to when in the future the device/software will be capable to migrate to 2048 bit certificates.

Any additional information would be greatly appreciated.

John
Oscar A. Perez
Honored Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

John,

We are looking into adding the 2048bit RSA key support for the SSL certiticate in the next release.

I've been making changes and doing some tests and so far, the only problem that I see is that creating the 2048bit key pair required for the cert takes ~10min. This is because iLO2 has a little 66Mhz RISC processor and it seems we are just asking too much.
Also, once the new cert is imported, the iLO2 webserver is noticeable slower when doing SSL handshake.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
John Averett
New Member

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

Oscar,

Is there any timeline on when next release of iLo would be released?

Thanks,

John
Oscar A. Perez
Honored Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

We added the 2048bit support for CSR in version 2.06.

One note: After importing the new cert, iLO2 webGUI does become noticeable slower but, hey! security is more important.

See here:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1483326



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Oscar A. Perez
Honored Contributor

Re: Can iLO2 Advanced generate 2048 bit CSR requests?

Forgot to mention.

After flashing version 2.06 for the first time, please allow 20 minutes to iLO2 so, it can pre-generate the RSA key pair needed for the CSR request. During this time, the remote console must remain closed.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!