Server Management - Remote Server Management
1748041 Members
5123 Online
108757 Solutions
New Discussion

Re: Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

 
alexs77
Occasional Advisor

Re: Importing SSL Certificate AND Private Key?


@Jimmy Vance wrote:

Sorry, I quickly glanced at your original message and thought you were asking how to import a certificate as that question comes up often.

 

 


Yeah, I somehow had the impression, that hadn't fully read my original post :)

Cheers,

Alexander

alexs77
Occasional Advisor

Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)


@Dennis Handly wrote:

Importing a private key isn't secure.  Usually you generate a CSR and get it signed and then import that.


 

Uh? Why shouldn't it be secure? Usually, for all the web-, mail- and whatnot-servers, we generate CSRs on trusted systems (or on the system itself) and then install the certificate + key + intermediate cert(s) on the target system(s).

I'd really like to know,why you think, that this is NOT secure.

Could you please expand on that?

Thanks a lot,

Alexander

Dennis Handly
Acclaimed Contributor

Re: Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

>Why shouldn't it be secure? ... and then install the certificate + key + intermediate cert(s) on the target system(s).

 

Because the key leaves one host and is installed in another.  Someone could hijack it.  And all your systems have the same key.

I deal with secure devices and it is a big selling point (FIPS requirement) to say that the key NEVER leaves the device.

jwilczek
Visitor

Re: Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

I have an identical problem - did you solve yours?
I have a * .domain.com certificate and would like to upload it to ILO4

 

--
Jacek

dmemenza
Visitor

Re: Importing SSL Certificate AND Private Key?

Hi,

I know this is a pretty old thread, but I need help with this exact process (importing certificates to iLO).  I need to do this for multiple iLO devices at a time.  I've been working on the "Generating CSR" script that comes packaged with HPE's iLO Powershell package and got it pretty much completed.  Next steps are to import the signed certs (3rd party) into each iLO device.  Any suggestions/recommendations on how to do that, would certainly be very much helpful.  Appreciate the help in advance.

Thanks,

- DM

GokulKS
HPE Pro

Re: Importing SSL Certificate AND Private Key?

Hi,

Definately its possible with PS cmdlets of iLO.

Below are the complete steps for generate and import of certificates :

Four steps are involved in this use-case:

1)Generate the certificate – Start-HPEiLOCertificateSigningRequest

2)Get the certificate – Get-HPEiLOCertificateSigningRequest

3)Sign the CSR using any third-party CA – No cmdlet as its done by third-party

4) Import the certificate - Import-HPEiLOCertificate 

And below is the example of how importing of certificate can be done.

PS C:\> $cert = @"
-----BEGIN CERTIFICATE-----
ASampleCertificateAAALftnNE12JR8T8XQqyzqc1tt6FLFRXLRM5PJpOf/IG4hN45
pNdJAhTC8O2505PzkGLf5qhrbDnusclCvoH7DuxyHjeOUVxbC5wFQBcGF4VnpYZ8nGQ
Gt9TQ0iUV+NRwn4CR5ESoi63zTJIvKIYZDT2ISeXhF2iU6txjZzdeEm7vQz3slaY3dg
AAAIAQ46i6FBzJAYXziF/qmWMt4y6SlylOQDAsxPKk7rpxegv8RlTeon/aeL7ojb9GQ
2xnEN5gobaNZxKz2d4/jwg3+qgTDT6V1G+b7+nEI/XHIc717/7oqgiOv4VE3WxN+HE9
JWsv2jwUpAzRGqJOoojRG/CCru0K+jgTOf/di1o0sw
-----END CERTIFICATE-----
"@

PS C:\> $connection = Connect-HPEiLO 10.20.30.40,10.20.30.41 -Username admin -Password admin123

PS C:\> Import-HPEiLOCertificate -Connection $connection -Certificate $cert 


I am a HPE Employee

Accept or Kudo

PhS-
Regular Advisor

Re: Importing SSL Certificate AND Private Key?

GokuIKS, I like your instructions ... have you actually tested it ? with HPEiLOCmdlets 2.0.0.0 ? And a bit of customization (like City, State, Country, Organization etc ) ?

Because our finding is that :

Start-HPEiLOCertificateSigningRequest

does not use the value of ‘-City', regardless of how you specify it. Should place it into '<CSR_Locality>' inside the XML it sends, but there's no such field in the raw request being sent.

Get-HPEiLOCertificateSigningRequest

resubmits new CSR generation with default parameters. It does not simply retrieve the previously generated CSR (with parameters specified by 'Start-HPEiLOCertificateSigningRequest').

So I am curious who's really testing these PowerShell cmdlet ?

 

 

GokulKS
HPE Pro

Re: Importing SSL Certificate AND Private Key?

Hi,

As I mentioned in other posts both of them are bugs and we are working towards fixing it.

This issue happens only on Gen8\9 systems but Gen10 works as expected.

Thanks,

Gokul


I am a HPE Employee

Accept or Kudo