Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

Verifiy SSL Certificate for iLO/iLO2/iLO3

Advisor

Verifiy SSL Certificate for iLO/iLO2/iLO3

I have automated a process to get a certificate request, sumbit this request to my CA server then import the certificate from my CA server to the iLO. No issues there.

What I am trying to figure out: Is there a way for me to query the iLO via CPQLOCFG or http:///xmldata?item= to verify the certificate has been imported?
4 REPLIES
Honored Contributor

Re: Verifiy SSL Certificate for iLO/iLO2/iLO3

Hi Sam,

How are you retrieving the request and importing the certificate? If you are already using CPQLOCFG you should just parse the output for these failure messages:

â ¢ RIB information is open for read-only access. Write access is required for this operation.
â ¢ Error reading certificate: The imported certificate is invalid.
â ¢ Invalid certificate common name: The common name in the certificate does not match iLO 2's
hostname.
â ¢ Certificate signature does not match private key: The certificate does not correspond to the private
key stored in iLO 2.

Other than that I don't think there is a way.
Advisor

Re: Verifiy SSL Certificate for iLO/iLO2/iLO3

You are correct. I am actually reading the log files and determining whether or not I was successful in importing the certificate. Now my main goal is to check whether or not there is an Active certificate on the iLO before I generate a new certificate. This is in case a user wants to run the script again. i don't want to generate multiple certificates for a single iLO. But unless HP can design a way for me to do this I think I am not going to be unsuccessful in my quest. I have done much research and it doesn't appear to be anybody out there needing to know this information. I have thought about querying my CA server but this could give erroneous results. For example I have an iLO name myiLOName and I retire or rename this sever but reuse the name myiLOName for a new server. if i query my CA server for a certificate given to myiLOName it will return TRUE because I had a previous server named as such. So ideally i would need to query the iLO to determine if the iLO itself has a certificate and this is where the roadblock happens.
Honored Contributor

Re: Verifiy SSL Certificate for iLO/iLO2/iLO3

Maybe you can script a solution that visits the page:

https:///dcert.htm

and retrieves the value for the IssuedBy field.

If this matches your CA, then the certificate has been imported. If it matches myILOname then it hasn't.

I can conceptualize it, but not code it. Good luck. :)
Advisor

Re: Verifiy SSL Certificate for iLO/iLO2/iLO3

That is definitely a possibility. The challenge is being able to log into the ilo from the browser. But I can give it a shot and see. I am thinking it is a lost cause. Thank you for your help and suggestions.