HPE Community
Server Management - Remote Server Management
1753647 Members
5858 Online
108798 Solutions
New Discussion

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

 
EliteX2Owner
Advisor

‎04-16-2021 06:18 AM

‎04-16-2021 06:18 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Yep just a +1 here.  We've recently begun to deploy HPE boxes in scenarios where we need high clock rate chips our normal Cisco UCS doesn't have.  We then of course ran smack into this issue when trying to determine how to deploy our public CA-issued wildcard cert that we use for infrastructure.  Since we use public CA certs, AND these systems do not have internet connectivity, we're faced with the choice of what will be an absolute nightmare trying to order/issue/install a unique paid (i.e. $$) cert on every single server vs just pushing our wildcard in, or, downgrade the security on our management systems by instructing them to not validate certs.  No, we don't use an internal Windows CA, we have no Windows in our environment, nor do we want to deploy a private CA and then worry about getting every other internal system to trust it.

0 Kudos
Reply
Tono11
Occasional Visitor

‎04-20-2021 02:09 AM

‎04-20-2021 02:09 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Well, in my case we have 2 options:

1.- Create ourselves the private key and generate the certificate request. The company CA process it and give us the certificate.

2. We make the crs with the following constrains:

  1. Make a local copy of openssl.cnf and append the following lines to it:
    [req]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = host1.mycompany.com
  2. Run this command:
    openssl req -new -subj "/CN=host1.mycompany.com" -out newcsr.csr -nodes -sha512 -newkey rsa:2048 -config openssl.cnf

The newcsr.csr file will contain the certificate request. We can upload the file or paste its contents in the textbox provided by our CA, including the header (---BEGIN CERTIFICATE REQUEST---) and the corresponding footer (---END CERTIFICATE REQUEST---). and they deliver the certificate.

 

The problem is that I cannot generate "exactly" like that in the ILO interface. When I try to left emply all the fields except the CN, ILO doens't let me go further because all the Country, State, etc. fields are emply.

If I fullfill all this information, the CA complains with: "The subject in the certificate signing request must only contain a CN" ...

Well.. completly blocked...

 

Regards.

0 Kudos
Reply
gherardini
Occasional Visitor

‎05-20-2021 02:32 PM

‎05-20-2021 02:32 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

We attempted to upload out own custom certs directly into the iLO..... no luck. we had to create the iLO's own cert request, (FQDN & IP Address) (*.csr) upload into the system generating our custom cert, then take that *.cer and copy and paste the -----BEGIN CERTIFICATE REQUEST-----    to -----END CERTIFICATE REQUEST-----.

Our certificate generation did strip away all the company data and insert its own. When the iLO imported the cert it properly displayed all the correct data for our organization entries.

0 Kudos
Reply
mmad
Occasional Visitor

‎08-09-2021 04:51 AM

‎08-09-2021 04:51 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

In ILO 5 I did select Security -> SSL Certificate -> Customize Certificate -> here I did fill the form according to my company details afterwards -> Generate CSR

The trick did this instructions: https://phdops.kblin.org/hp-ilo-ssl-cert.html

This worked perfectly fine for me.

0 Kudos
Reply
Xavier Walker
Advisor

‎10-21-2021 07:30 AM

‎10-21-2021 07:30 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

+100000

We really need to have a way of providing our own private keys and not having to manually create CSRs for every ILO.

It's also an issue when internal CAs don't normally provide certificates via CSR and provide directly a private key + certificate. I'm currently in this position so cannot actually install any certificate that's provided/approved by my internal CA.

Reply
GrahamCranstoun
Occasional Visitor

‎11-09-2022 03:56 AM

‎11-09-2022 03:56 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

Hi

Did anyone get to the final answer on this to whetehr or not you can import a wilcard cert into the iLO.

Currently I am on iLO5 (Version 2.72)

Apologies if I have missed the answer to this.

Thanks in advance

G

0 Kudos
Reply
EliteX2Owner
Advisor

‎11-09-2022 04:38 AM - edited ‎11-09-2022 04:38 AM

‎11-09-2022 04:38 AM - edited ‎11-09-2022 04:38 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

You can't import any key/cert combo, let alone a wildcard.  It sucks.

0 Kudos
Reply
Adis_S
Advisor

‎01-31-2023 11:29 PM

‎01-31-2023 11:29 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

it should be posible with new iLO 5 2.78 (December 2022) via Redfish

iLO 5 Redfish API Reference document (hewlettpackard.github.io)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.