Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S · ‎11-21-2018

1) Would it be posible to add SAN parameter to the Start-HPEiLOCertificateSigningRequest ? In most Microsoft CA is the "EDITF_ATTRIBUTESUBJECTALTNAME2" disabled because od (1) , thus it would be better to include this in Certificate request itself. From (1) "All certificate subject information (including SAN) should be included in the original certificate request"

2) Can there be also an parameter to exclude IPv6 from orginal certificate request.

I am using HPEiLOCmdlets 2.1..0.0 and have iLO4 v2.61 and I am doing request with this line

Start-HPEiLOCertificateSigningRequest -Connection $connection -City City -CommonName $srvILO -IncludeiLOIP -Country Country -Organization "Organization" -State "State" -OrganizationalUnit IT

On (2) there is written "Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2."
How could this be done by uisng HPEiLOCmdlets ?

Reason for this request is because IE 11 (Edge maybe to?) does not trust iLO if accessed over IP even it is included in Certificate. Seems dns=ipaddress need to be added as SAN so that IE 11 can trust it.

DNS Name=esx01-ilo.server.local
IP Address=1XX.XX.XX.XXX
IP Address=fe80:0000:0000:0000:XXXX:XXXX:XXXX:XXXX

Edit #1: Also it is an problem that you can acutally not import private key and then the certificate, so there is no way to create request somewhere else which includes all SAN needed.

(1) https://blog.keyfactor.com/hidden-dangers-certificate-subject-alternative-names-sans

* Any custom SAN entries are only supposed to be used on the other Corporate Web Server certificates, but because the EDITF_ATTRIBUTESUBJECTALTNAME2 setting applies to the entire CA, all templates on that CA are affected, and all templates and all resulting certificates are at risk from impersonation attacks.

(2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v%3dws.10)

* Security best practices for allowing SANs in certificates

NareshISS · ‎11-26-2018

Hello Team,

please follow the below steps if its applicable:- https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/Can-t-configure-Gen8-Gen9-IPV6-Ilo-settings/td-p/6752309#.W_avbOLhWM8 https://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/how-to-check-ipv6-gw-info-from-ilo4/td-p/6819325#.W_avb-LhWM8

I am an HPE Employee.

Adis_S · ‎11-27-2018

@NareshISS

I am not sure why did you post the Links which does not have anything to do with Certificate Signing Request. Just to post something to have Post count higher, is not very helpful.

GokulKS · ‎11-27-2018

Hi,

Currently iLO4/5 does not provide any option to add SAN or ignore IPv6 in either iLO Web GUI or Redfish interfaces.

You need to raise a change request with iLO team.

Thanks,

Gokul

I am a HPE Employee

NareshISS · ‎12-05-2018

Hello,

please logged an HPE case and share the actual images of the issue and AHS report.

Regards,

Naresh Sharma

I am an HPE Employee.

Adis_S · ‎12-07-2018

HPE see this not as an Issue but as an Enhancement Request.

Sure I did provide HPE Support with all logs and Images of the Issue.

Adis_S · ‎01-20-2021

I got asked over PM if there was any solution for this. I am afraid not, our Feature Request is still not fullfilled, but it is still open. There could be an workarround for these using Microsoft CA and where the EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.

Create CSR with iLO5 with all the Fields it currently allows us (i am using csv with Column "iLOHostname" and "iLOIP" :

$connection = Connect-HPEiLO -Credential $credential -IP $ilofqdn.iLOHostname -Timeout 200 -DisableCertificateAuthentication

Start-HPEiLOCertificateSigningRequest -Connection $connection -City <City> -CommonName $ilofqdn.iLOHostname -Country <country> -Organization <organisation> -State <state> -OrganizationalUnit IT -IncludeiLOIP

get your CSR (i put pause for 60 sec in my script, to let CSR be created):

$output = Get-HPEiLOCertificateSigningRequest -Connection $connection
$output.CertificateSigningRequest | Out-File "$scriptpath\csr\$ilofqdn.iLOHostname.csr" -Encoding ascii -Force

then submit the CSR with additional parameters to Microsoft CA by using this command line tool:
# you need to define all variable yourself or just type them in request.

$certreq = 'c:\Windows\System32\certreq.exe -submit -config $certificateserver -attrib "SAN:dns=$srvILO&dns=$shorthost&dns=$dnssrvilo&IPAddress=$dnssrvilo" -attrib "CertificateTemplate:$certificatetemplate" "$scriptpath\csr\$ilofqdn.iLOHostname.csr"'

You will get as output an ID which you can provide to your CA Admin to issue it, after that you can grab your certificate

$certretrieve = 'certreq.exe -retrieve -config $certificateserver $_.RequestId "$scriptpath\cert\$shorthost.crt"'

Finaly import it to iLO5

$cert1 = Get-Content -Path "$scriptpath\cert\$shorthost.crt" -Raw
# Base64-encoded X.509 certificate
$StatusInfo = Import-HPEiLOCertificate -Connection $connection -Certificate $cert1

Hopes this help someone in future.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest