HPE Community
HPE OneView
1821587 Members
5020 Online
109633 Solutions
New Discussion юеВ

OneView CERT

 
SOLVED
Go to solution
Scott Caryer
Frequent Advisor

тАО03-15-2018 01:58 PM

тАО03-15-2018 01:58 PM

OneView CERT

I am trying to import a cert from my windows CA DC to my new 4.0 OneView appliance.

I am first generating the CR from the OneView appliance. Then I create it from my Windows CA using teh WebServer2048 option.

I keep getting the below error message: The certificate is not valid

Unable to import signed certificate.
Extended Key Usage(EKU) field in the certificate does not contain Server Authentication and/or Client Authentication

Resolution Provide a valid certificate with EKU field set as specified

If the issue persists, Create a support dump and contact your authorized support representative for assistance.

Please advise...

Scott

 

2 people had this problem.
0 Kudos
Reply
11 REPLIES 11
ChrisLynch
HPE Pro

тАО03-15-2018 03:14 PM - edited тАО03-15-2018 03:15 PM

тАО03-15-2018 03:14 PM - edited тАО03-15-2018 03:15 PM

Re: OneView CERT

The message is quite clear what is wrong.  The SSL certificate you created must contain the Server Authentication attribute set.  Take a look at the screenshot of a certificate deployed on my appliance.Cert Enhanced Key Usage.png

I'm also attaching the Web Server Certificate Template policy I used on my Windows Server 2016 CA 

Web Server CA Template.png

 

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Scott Caryer
Frequent Advisor

тАО03-15-2018 07:11 PM

тАО03-15-2018 07:11 PM

Re: OneView CERT

Thanks for your reply Chris! I see the buck stops with you here in the OneView forums.

So I generated the certificate request through the "Guided Section" area on my  OneView appliance(4.00.07-0330056). I then generated the cert from my Windows 2012 CA utility seen in the attachment. I selected the "WedServer2048" for the Certificate Template. I do not have a certificate template for Server authenication. So I am a little confused on how to create the certificate properly. The install guide does not talk much about installing a cert on the appliance.

Thanks for any assistance. As you can tell, cert management is not my speciality.

Any additional info woudl be great.

Thanks in advance, Scott

 

 

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО03-15-2018 07:22 PM

тАО03-15-2018 07:22 PM

Re: OneView CERT

The reason why we don't document the CA part is that every customer is different, and uses different enterprise CA products.  Since you are using Microsoft Enterprise Certificate Authority Services, it's quite simple.  On your Issuing CA, you need to make sure a Web Server Template is available, or a CA Template Policy that is configured with the Enhanced Key Usage policy I showed in the screenshot.  Also, review these Microsoft Technet links (Link1 and Link2) on how to configure a Certificate Template Policy.  Even though those links are for Windows Server 2003, they still apply to Server 2008, Server 2012 and Server 2016.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Romper
Visitor

тАО04-12-2018 11:34 PM

тАО04-12-2018 11:34 PM

Re: OneView CERT

I too have had this error, however my WebServer template does allow for EKU and the certificate does show Server Authentication as a valid purpose (same as in your certificate as shown).

We too are using MS CA.

0 Kudos
Reply
John Bigg
Esteemed Contributor

тАО04-13-2018 07:32 AM

тАО04-13-2018 07:32 AM

Re: OneView CERT

You need both Server AND Client authentication. Do you have both?

Reply
bronman
Occasional Visitor

тАО05-25-2018 12:14 AM

тАО05-25-2018 12:14 AM

Re: OneView CERT

I have the same issue

0 Kudos
Reply
John Bigg
Esteemed Contributor

тАО05-29-2018 05:34 AM

тАО05-29-2018 05:34 AM

Re: OneView CERT

You need to make sure that your CA honours the request for the EKU fields Server Authentication and Client Authentication. One or both of these are missing from the certificate generated by your CA.

0 Kudos
Reply
Daniel-L
Advisor

тАО06-01-2018 04:34 AM

тАО06-01-2018 04:34 AM

Solution

Re: OneView CERT

Hello Scott,

that's what I've got (after some lengthy discussion) from HPE support:

If you create a Certificate Signing Request (CSR) in OV, it will request the following usages:

            X509v3 Key Usage:

                Digital Signature, NonRepudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web ServerAuthentication, TLS Web Client Authentication

If you submit this CSR to your CA, the resulting certificate should contain all these features.

Make sure, that your CA will generate a ceritifcate that includes ALL of above.

Had to get our CA team to try several times, until OneView was satisfied with the generated certificate.

Regards,

Daniel

 

0 Kudos
Reply
Denialmix
Occasional Advisor

тАО06-04-2018 01:27 PM

тАО06-04-2018 01:27 PM

Re: OneView CERT

Duplicate WebServer template, check ServerAuth and add ClientAuth, add Non Repudiation... add Template in your CA and Works!

Thanks!

0 Kudos
Reply
CorbettEnders
Advisor

тАО02-03-2021 08:45 AM - edited тАО02-03-2021 08:50 AM

тАО02-03-2021 08:45 AM - edited тАО02-03-2021 08:50 AM

Re: OneView CERT

Here's the steps for someone using a Microsoft cert authority in their windows domain.

  1.  Create the cert request from Oneview
    1. Log into Oneview and from the NAV in the top left select Settings. 
    2. Click on Security
    3. In the Actions menu top right, select Create appliance certificate signing request
    4. Fill in the details and click OK to get the large text block containing the base64 encoded cert request.
    5. Copy the cert request to your clipboard or save the text in Notepad.
  2.  Create a certificate template that OneView will be happy with.
    1.  On your Windows CA, open the "Certification Authority" app.
    2.  In the tree on the left side, right-click on Certificate Template and select Manage.
    3. Scroll down to Web Server and right-click select Duplicate Template
    4. On the General tab, tweak the names to your liking. I use "HPE OneView".
    5. On the Extensions tab, click Application Policies and click Edit. Add Client Authentication. Click OK. You should now have both Server Authentication and Client Authentication.
    6. On the same Extensions tab, click Key Usage and click Edit. Checkmark "signature is proof of origin (nonrepudiation)". Ensure Allow key exchange only with key encryption (key encipherment) radio button is selected. Click OK.
    7. On the Security tab, apply read and enroll to whichever user account will be requesting the cert from this CA (ie: domain admins, your windows account, etc).  I use my domain admin account.
    8. Click OK/Apply and close editing that template.
    9. Back at the main Certification Authority screen, right click again on the Certificate Template folder and select New -> Certificate Template to issue. 
    10. Choose the certificate template you just duplicated (in my case: HPE OneView).
    11. Verify that you see it in the list.
  3. Request the certificate from your CA using the new template
    1. Open a web browser and navigate to your CA's webpage.  In my case: http://dc09/certsrv 
    2. Click on "Download a CA Certificate, certificate Chain, or CRL
    3. Select Base64 and click Download CA Certificate - Name it CA-cert.txt and save it somewhere.
    4. Go back to the home page and click Request a Certificate
    5. Click Advanced Certificate Request
    6. Click Create and Submit a request to this CA.
    7. Paste in the base64 text copied from step 1 and in Certificate Template select the template name you just created, in my case HPE OneView.
    8. Click Submit.
    9. Select Base64 encoded and click Download Certificate, save the file oneview.txt.
  4. Import both the CA and the server certificate into Oneview.
    1. Back on the Security settings page of OneView, click on Actions > Manage Certificates
    2. Click Add Certificate
    3. Using Notepad, open the CA-cert.txt file you downloaded in step 3-3 above. Copy and paste the base64 text into the dialog and then click Add.
    4. Assuming no issues, close that page and then click Actions > Import Appliance certificate.
    5. Open the oneview.txt cert downloaded in step 3-9 above and copy/paste the text into this Import cert dialog.
    6. Click OK and if all goes well, no errors and the system will import the cert. 

Next time you browse the page you should get a happy cert.

Reply
kpatelvno
New Member

тАО03-07-2024 10:48 AM

тАО03-07-2024 10:48 AM

Re: OneView CERT

Followed @CorbettEnders  detailed directions, worked perfectly for us!

Only addition was giving the user that was doing the certificate intall enrollment rights on the certificate template.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.