Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO2 refuse to import somes X509 certificates

Occasional Contributor

ILO2 refuse to import somes X509 certificates

Hello ,

 

I generate a csr for my server . I generate 2 certficate form the same csr via 2 CA .

 

When i use a instantssl.com pki i can import the certficate

When i use startssl.com pki , i can not import the certificate .

 

When i extract with openssl information from certificates i have :

 

from startssl.com

Subject: description=kk5U45Jfhfy8CV4S, C=FR, CN=srv435.mngt.mydom.fr/emailAddress=tech@mydom.fr

from instantssl.com

Subject: OU=Domain Control Validated, OU=Free SSL, CN=srv435.mngt.mydom.fr

 

has someone a workaround for using startssl.com pki ?

 

 


the error i have from the web interface

 

The Certificate could not be imported from the supplied X.509 Certificate data.

The Common name on the certificate does not match the DNS name of Integrated Lights-Out. Make sure that the X.509 Certificate data was intended for this Integrated Lights-Out.

 

 

 

 

 

 

4 REPLIES
Honored Contributor

Re: ILO2 refuse to import somes X509 certificates

Apparently, iLO doesn't like the CN from startssl.com.

I bet that if the "/emailAddress=tech@mydom.fr" portion is removed from the CN, it will work.



__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
Occasional Contributor

Re: ILO2 refuse to import somes X509 certificates

from: http://stackoverflow.com/questions/6464129/certificate-subject-x-509

 

emailAddress can be in the subject field of x509 certificate .

 

It's a bug in ilo implementation :(

 

 

 

 

 

Honored Contributor

Re: ILO2 refuse to import somes X509 certificates

It says the emailAddress attribute is deprecated. Use altName extension instead.

 

http://www.oid-info.com/get/1.2.840.113549.1.9.1

 




__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
Occasional Contributor

Re: ILO2 refuse to import somes X509 certificates

From RFC the usage of field is deprecated but permitted .

 

See end of chapter 4.1.2.6 Subject from ( http://www.ietf.org/rfc/rfc5280.txt )

 

 

Conforming implementations generating new certificates with
   electronic mail addresses MUST use the rfc822Name in the subject
   alternative name extension (Section 4.2.1.6) to describe such
   identities.  Simultaneous inclusion of the emailAddress attribute in
   the subject distinguished name to support legacy implementations is
   deprecated but permitted.

 

 

 

 

//Add this to "OnDomLoad" event