- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: Powershell - replace Server certificate in One...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā11-11-2018 11:10 PM
ā11-11-2018 11:10 PM
Powershell - replace Server certificate in OneView
We would like to replace all Servers certificate from self-signed to the ones from Active Directory CA. On one test Server I was able to create request over PowerShell but was not able to import it (used WebGui as workaround).
So the test Server have the right certificate (and also trusted when accessing over browsers), but in OneView I still see self-signed certificate. Weird is that refresh on OneView for this Server still works, so seems still communicating with old certificate?
$ovhw = Get-HPOVServer -ServerName serverfqnd | Get-HPOVApplianceTrustedCertificate
My question is how to replace this Server Certificate in OneView by using powershell.
I am using:
HPEiLOCmdlets
Name Version ---- ------- HPEiLOCmdlets 2.1.0.0
OneView:
oneview01 LibraryVersion Path
---------------------------- -------------- ----
ApplianceVersion: 4.10.01.348545.00 4.10.1802.1882 C:\Program Files\WindowsPowerShell\Modules\HPOneView.410\4.10.1802.1882
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā11-12-2018 07:18 PM
ā11-12-2018 07:18 PM
Re: Powershell - replace Server certificate in OneView
Hi @Adis_S
Why the server refresh continues to work is -
The iLOs can be trusted if
1. a copy of the certificates on them is present in the appliance trust store (this applies when there are self-signed certificates on the iLOs), or,
2. if the Root CA that has signed the iLO certificates is present in the appliance trust store. (this applies when there are CA Isigned certificates on the iLOs).
In your case, as you have stated, the newly generated CA signed certificates have taken effect on the iLOs.
Even though the self-signed certificates for the iLOs have not been deleted from the appliance trust store, the "AD server CA" that you used to sign the iLO's certificates is probably uploaded to the appliance trust store.
These iLOs are now being trusted by OneView using the Root CA that is in the appliance trust store.
All you probably need to do at this point is to delete the "self-signed" certificates for the iLOs from the appliance.
Using REST API to DELETE /rest/certificates/servers/<server uuid alias for the iLO>
POSH for HPE OneView has the powershell cmd let to do that.
Let me know if this answers your question.
Regards,
Bhaskar Vasudevan
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā11-12-2018 10:10 PM
ā11-12-2018 10:10 PM
Re: Powershell - replace Server certificate in OneView
Also, you may want to delete the self-signed certificates from the appliance trust store only for those iLOs whose certificates have been updated with a CA signed certificate.. Until you have replaced the self-signed certificates on iLOs with a CA signed certificate, the appliance needs the self-signed certificate to be able to trust such iLOs.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā11-13-2018 03:29 AM
ā11-13-2018 03:29 AM
Re: Powershell - replace Server certificate in OneView
Thank you for your replay, that about "The iLOs can be trusted if" was new tome, at least the information about Root CA. I just removed the trusted certificate from the appliance trusted certificate store and refresh of the Host information in oneview is still working.
the following command will give you error but seems that it does not impact trust between the oneview and server.
Get-HPOVServer -ServerName serverfqnd | Get-HPOVApplianceTrustedCertificate
Get-HPOVApplianceTrustedCertificate : The specified '' trusted SSL certificate resource not found on Appliance 'oneview01'. Please check the name and try again
I used following powershell command to remove the certificate where I double check with Thumbprint that i am deleting right certificate.
Get-HPOVApplianceTrustedCertificate -Name "UsedNameFromGetTrustedCertificated" | Where-Object {$_.Certificate.Thumbprint -eq "XXXXXXXXX"} | Remove-HPOVApplianceTrustedCertificate -WhatIf