Server Management - Remote Server Management

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

 
Adis_S
Advisor

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

1) Would it be posible to add SAN parameter to the Start-HPEiLOCertificateSigningRequest ? In most Microsoft CA is the "EDITF_ATTRIBUTESUBJECTALTNAME2" disabled because od (1) , thus it would be better to include this in Certificate request itself. From (1) "All certificate subject information (including SAN) should be included in the original certificate request"

2) Can there be also an parameter to exclude IPv6 from orginal certificate request.

I am using HPEiLOCmdlets 2.1..0.0 and have iLO4 v2.61 and I am doing request with this line

 

Start-HPEiLOCertificateSigningRequest -Connection $connection -City City -CommonName $srvILO -IncludeiLOIP -Country Country -Organization "Organization" -State "State" -OrganizationalUnit IT

 

On (2) there is written "Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2."
How could this be done by uisng HPEiLOCmdlets ?

Reason for this request is because IE 11 (Edge maybe to?) does not trust iLO if accessed over IP even it is included in Certificate. Seems dns=ipaddress need to be added as SAN so that IE 11 can trust it.

DNS Name=esx01-ilo.server.local
IP Address=1XX.XX.XX.XXX
IP Address=fe80:0000:0000:0000:XXXX:XXXX:XXXX:XXXX

 

Edit #1: Also it is an problem that you can acutally not import private key and then the certificate, so there is no way to create request somewhere else which includes all SAN needed.


(1) https://blog.keyfactor.com/hidden-dangers-certificate-subject-alternative-names-sans

* Any custom SAN entries are only supposed to be used on the other Corporate Web Server certificates, but because the EDITF_ATTRIBUTESUBJECTALTNAME2 setting applies to the entire CA, all templates on that CA are affected, and all templates and all resulting certificates are at risk from impersonation attacks.

(2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v%3dws.10)

* Security best practices for allowing SANs in certificates

 

6 REPLIES 6
NareshISS
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Adis_S
Advisor

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

@NareshISS

I am not sure why did you post the Links which does not have anything to do with Certificate Signing Request. Just to post something to have Post count higher, is not very helpful.

 

GokulKS
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Hi,

Currently iLO4/5 does not provide any option to add SAN or ignore IPv6 in either iLO Web GUI or Redfish interfaces.

You need to raise a change request with iLO team. 

Thanks,

Gokul


I am a HPE Employee

Accept or Kudo

NareshISS
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Hello,

please logged an HPE case and share the actual images of the issue and AHS report.

 

Regards,

Naresh Sharma


I am an HPE Employee.

Accept or Kudo

Adis_S
Advisor

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

HPE see this not as an Issue but as an Enhancement Request.

Sure I did provide HPE Support with all logs and Images of the Issue.

Adis_S
Advisor

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest


I got asked over PM if there was any solution for this. I am afraid not, our Feature Request is still not fullfilled, but it is still open. There could be an workarround for these using Microsoft CA and where the EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled.

Create CSR with iLO5 with all the Fields it currently allows us (i am using csv with Column "iLOHostname" and "iLOIP" :

 

$connection = Connect-HPEiLO -Credential $credential -IP $ilofqdn.iLOHostname -Timeout 200 -DisableCertificateAuthentication

Start-HPEiLOCertificateSigningRequest -Connection $connection -City <City> -CommonName $ilofqdn.iLOHostname -Country <country> -Organization <organisation> -State <state> -OrganizationalUnit IT -IncludeiLOIP

 

get your CSR (i put pause for 60 sec in my script, to let CSR be created):

 

$output = Get-HPEiLOCertificateSigningRequest -Connection $connection
$output.CertificateSigningRequest | Out-File "$scriptpath\csr\$ilofqdn.iLOHostname.csr" -Encoding ascii -Force

 


then submit the CSR with additional parameters to Microsoft CA by using this command line tool:
# you need to define all variable yourself or just type them in request.

 

$certreq = 'c:\Windows\System32\certreq.exe -submit -config $certificateserver -attrib "SAN:dns=$srvILO&dns=$shorthost&dns=$dnssrvilo&IPAddress=$dnssrvilo" -attrib "CertificateTemplate:$certificatetemplate" "$scriptpath\csr\$ilofqdn.iLOHostname.csr"'

 

You will get as output an ID which you can provide to your CA Admin to issue it, after that you can grab your certificate

$certretrieve = 'certreq.exe -retrieve -config $certificateserver $_.RequestId "$scriptpath\cert\$shorthost.crt"'

Finaly import it to iLO5

 

$cert1 = Get-Content -Path "$scriptpath\cert\$shorthost.crt" -Raw
# Base64-encoded X.509 certificate
$StatusInfo = Import-HPEiLOCertificate -Connection $connection -Certificate $cert1

 

 

Hopes this help someone in future.