Server Management - Systems Insight Manager
1747980 Members
4096 Online
108756 Solutions
New Discussion юеВ

Re: Sign SIM certificate with internal CA

 
NJK-Work
Honored Contributor

Sign SIM certificate with internal CA

Does anyone have a documented process for signing the certificate used by SIM with an internal Windows 2008 CA that they would like to share?

Thanks
Nelson
9 REPLIES 9
NJK-Work
Honored Contributor

Re: Sign SIM certificate with internal CA

I forgot to mention, this would be for SIM 6.2.

NElson
Arunav Nayak
Valued Contributor

Re: Sign SIM certificate with internal CA

Hi Nelson,

Please find the User Guide @ http://h10018.www1.hp.com/wwsolutions/misc/hpsim-helpfiles/hpsim_userguide_51.pdf
that has the documentation on how to perform the steps.

Go to page no. 152 and you can get the details on Certificate related setings.

Please get back in case of any issue or confusion.


Thanks,
Arunav
NJK-Work
Honored Contributor

Re: Sign SIM certificate with internal CA

Thanks, but I could find nothing in that document that specifically describes how to perform this task with a Windows 2008 CA.

Here is the problem I run into:

1) Verify the root CA cert is on the SIM server in the "Computer Account" folder called "Trusted Root Authority Certificates/Certificates" - it is indeed there, as it is on every server we build

2)Create a new certifcate with my company settings and this replaces the existing one installed by HP SIM

3) From the "Import Certificate" page, I "Create a Certificate Signing Request" and it creats a "certreq.p10" file

4) I go to the https://mycaservername//certsrv/certrqxt.asp page and paste in the text from the "certreq.p10" file and select the template we have created for this - this is the same template I use for iLOs (which work fine for us). I download the file a "Base 64 encoded" CRT file.

5) From the "Import Certificate" page I "Import signed certificate reply from CA" and point it to the "CRT" file created in step 4 above.

6) When I click the "Import" button as part of step 5 above I get this error:

"Error importing signed certificate: failed to establish chain of trust from reply; first import CA certificate into Trusted System Certificates list." - as I mentioned in step one, I have already done this.

So somewhere, must likely in my CA template I am using - the same template I successfully use for iLO 2 and iLO 3 devices, I am doing something wrong.

So, does anyone have a documented process (i.e. what do I do on the CA server) to make this work for a Windows 2008 CA.

Thanks
Nelson
Robb Howell
New Member

Re: Sign SIM certificate with internal CA

Hi, Did you ever figure this out, I've got exactly the same issue.

Cheers!
Robb.
NJK-Work
Honored Contributor

Re: Sign SIM certificate with internal CA

No, I gave up.

Nelson
dgerol
Occasional Advisor

Re: Sign SIM certificate with internal CA

I have managed to get this working with a W2K8 AD CA.

 

Before importing the SIM signed certificate, the SIM server needs to be able to establish a chain back to the Root CA. You do this by:

 

1. Go Options / Security / Credentials / Trusted Systems.

2. Select the tab "Trusted Certificates"

3. Import the cert (or certs) of your CA.

4. Now go back to the HP SIM Server Certificate section and import the signed certificate.

 

Hope this helps... 

 

Dennis.

 

 

zeroagemain
Frequent Advisor

Re: Sign SIM certificate with internal CA

I know this is an old post but we had this issue due to downloading just the certificate from our cert server rather than the certificate chain.

Once we downloaded and imported the certificate chain it worked fine.
StephaneD
Occasional Visitor

Re: Sign SIM certificate with internal CA

Hello I'm using HP SIM 7.3 with the exact same issue. I have imported the whole chain into the 'Trusted Certificates' tab. I can see all my certs CA listed in the page.

 

From the HP Sim Server certificate section, I'm doing import of the signed certificate and get this error :

 

Error importing signed certificate: failed to establish chain of trust from reply; first import CA certificate into Trusted System Certificates list.

 

Any help is appreciate.

 

Stephane

EricBu
Occasional Visitor

Re: Sign SIM certificate with internal CA

HI HP...feedback from the above post pls?