HPE Community
Server Management - Remote Server Management
1752703 Members
6372 Online
108789 Solutions
New Discussion

iLO3 RIBCL for Custom CSR

 
[Glaubig]
Occasional Visitor

‎06-30-2011 04:07 PM

‎06-30-2011 04:07 PM

iLO3 RIBCL for Custom CSR

The CSR_CERT_SETTINGS RIBCL command under RIB_INFO is supposed to allow for changing SSL certificate request information.  They're documented in a May 2011 edition of the iLO Scripting and Command Line Resource Guide and workS great on an iLO2 processor with firmware of 2.06.

 

These commands all fail on iLO3 with 1.25 firmware however with an error mesasge of 'Feature not supported'.  I'm really hoping this is a bug in the firmware and not that the commands were depricated, they're extremely useful in large scale deployments and standard configurations.

 

The set in particular is:

 

<RIB_INFO MODE="write">

<CSR_CERT_SETTINGS>

<CSR_USE_CERT_CUSTOM_SUBJECT VALUE="Yes" />

<CSR_USE_CERT_2048PKEY VALUE="Yes" />

<CSR_SUBJECT_COUNTRY VALUE="Yes" />

<CSR_SUBJECT_STATE VALUE="Yes" />

<CSR_SUBJECT_LOCATION VALUE="Yes" />

<CSR_SUBJECT_ORG_NAME VALUE="Yes" />

<CSR_SUBJECT_ORGUNIT_NAME VALUE="Yes" />

<CSR_SUBJECT_COMMON_NAME VALUE="Yes" />

</CSR_CERT_SETTINGS>

 

0 Kudos
Reply
2 REPLIES 2
Brett Merrick
Occasional Contributor

‎07-07-2011 05:37 PM - edited ‎07-07-2011 07:24 PM

‎07-07-2011 05:37 PM - edited ‎07-07-2011 07:24 PM

Re: iLO3 RIBCL for Custom CSR

Upgraded to iLO3 v 1.25 and now it produces a 2048bit CSR,

 

However when you upload the replacement certificate it either rejects a certificate that doesn't match, or it accepts the certificate, reboots and then dishes up the old self signed cert.....

 

0 Kudos
Reply
[Glaubig]
Occasional Visitor

‎08-03-2011 07:37 AM

‎08-03-2011 07:37 AM

Re: iLO3 RIBCL for Custom CSR

In the scripting I've done thus far, it seems that the call to generate a CSR is synchronous when on iLO 2 and earlier management processors.  This does not seem to be the case for iLO3 at firmware version 1.25.  It seems that the call becomes asynchronous, which in my opinion defeats the purpose of making CSR generation scriptable.

 

Is there an option documented or not that needs to be presented to iLO 3's?  Here is a sample of the RIBCL I use:

 

<RIBCL VERSION="2.0">

  <LOGIN USER_LOGIN="admin" PASSWORD="password">

    <RIB_INFO MODE="write">

      <CERTIFICATE_SIGNING_REQUEST/>

   </RIB_INFO>
</RIBCL>

 

The response I get from iLO 2 and earlier is the CSR encased in the RIBCL syntax.  On iLO 3, instead of the CSR I'm expecting, I instead get a reply that the CSR is in process of being generated.  I receive a similar respnose in the web GUI.  Although I don't really understand why there is a difference between iLO versions, if I request a CSR I should get one, not a notice to check back later.

 

On a related note, the custom CSR creation works on iLO 2 (2.06), but on iLO 3 1.25 it never worked.  I'd wait hours for the CSR generation and not get it when specifying locale information consistent with my certificate hierarchy.  If I left the defaults for C=US, ST=Texas, L=Houston, etc., the CSR generation would however work however.  It does at least properly use the FQDN for the CN in the CSR.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.