Server Management - Remote Server Management

iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

 
SOLVED
Go to solution
uzimmermann
Advisor

iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

I really dislike how I can add the short name of the iLO to the certificate signing request as subject alternate name, just like the IP. 

Or allow us to generate the certifcate external with key and just upload the pair.

If the iLO is named con-serverXXX.domain.info, the certficate ideally should really include the FQDN plus via SAN con-serverXXX, IPv4 IP and IPv6 IP.

 

5 REPLIES 5
SanjeevGoyal
HPE Pro

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

Hello,

I would suggest the best option may be to allow users to upload a PFX/PKCS12 file that includes the private key and certificate (and the ca chain?).  That way, you can use wildcards, CERTS with multiple SAN names (perhaps listing all their ILO hostnames), and short names if they so choose.

PFX/P12 files have passwords, so you would want to accept the file plus the password and run open SSL to split apart the key and CERT and store them in the appropriate location on the iLO.  Or allow us to upload an unencrypted RSA private key and the certificate in a webform with two fields.

 What you could do is to create your own private CA in your organization and use this CA to issue the iLO certificates.  This gives you more flexibility and control over what settings you want enabled/disabled.  The only caveat of using a private CA is that you need to install the Certificate of this CA into your browsers and applications so, they can trust the certs issued by it.

Please follow the below link and make sure the server should be updated with the latest bios and ILO firmware.

HPE iLO 5 1.30 User Guide ( Page no 329)

http://itdoc.hitachi.co.jp/manuals/ha8000v/hard/Gen10/iLO/880740-004_en.pdf


HPE iLO 4 User Guide ( Page no:74)

http://www.ni.com/pdf/manuals/377263a.pdf

HPE iLO 5 Scripting and Command Line Guide ( Page No 124)

https://server-recycling.nl/images/faq/handleidingen/HP-iLO-5-Scripting-and-Command-Line-Guide-a00018323en_us.pdf

If you feel this was helpful please click the KUDOS! thumb below!   

Regards,


I am a HPE Employee

Accept or Kudo

uzimmermann
Advisor

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

Yes, we have our own private CA. Using a wild card or not certificate doesn't matter so much to me, but I wished iLO would support import of key and certificate or at least allow generation of CSR with SAN of short name in addition of IPv4 and IPv6 address. 

OneView for example automatically fills the SAN with short name, FQDN and IPv4/v6 address.

 

uzimmermann
Advisor
Solution

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

Ok here is what I ended finally up remembering from a previous job and recreated what I had there.

  • Use powershell to request CSR from iLO
  • Save CSR to disk
  • Grab common name from CSR and SAN
  • Create environment variable called ALTNAME, which lists all the SAN, i.e. "DNS:<FQDN>, DNS:<short>, IP:<IPv4 address>, IP:<IPv6 address"
  • Call the usual openssl ca operation but add "-extfile openssl-san.cnf"
  • Convert file to PEM and load into iLO

The openssl-san.cnf file just contains:

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = $ENV::ALTNAME

This will override the SAN as provided by iLO in the CSR and generates a certificate which also has the short name in it.

 

SanjeevGoyal
HPE Pro

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

Hello,

Thank you for your update.

Please let us know if you have any other queries.

If you feel this was helpful please click the KUDOS! thumb below!   

Regards,

 


I am a HPE Employee

Accept or Kudo

Adis_S
Advisor

Re: iLO SSL Certificate, why no SAN for short name? Or why can't we generate key and cert external

I am facing same issue, not having option to add additional SAN and E-Mail to the CSR request within iLO5. That is the reason company at which I work raised an Feature Request with HPE with the hope that they give us such option. Other HPE Products like OneView , OneView for Composer2, C7000 ENCs etc., all have more Field options when requesting CSR then the iLO4/5.

When using Microsoft CA in the Company (and nothing else allowed) the trick with openssl will not work, or with any other private CA. There is an workaround with certreq.exe when requesting Certificate, but requires the Microsoft CA option EDITF_ATTRIBUTESUBJECTALTNAME2 which is not recommended from Microsoft anymore, and on our side disabled.

So for us when hope that the Feature Request will be fulfilled.