HPE OneView
1748235 Members
3552 Online
108759 Solutions
New Discussion ī„‚

Re: Powershell - replace Server certificate in OneView

 
Adis_S
Advisor

Powershell - replace Server certificate in OneView

We would like to replace all Servers certificate from self-signed to the ones from Active Directory CA. On one test Server I was able to create request over PowerShell but was not able to import it (used WebGui as workaround).

So the test Server have the right certificate (and also trusted when accessing over browsers), but in OneView I still see self-signed certificate. Weird is that refresh on OneView for this Server still works, so seems still communicating with old certificate?

$ovhw = Get-HPOVServer -ServerName serverfqnd | Get-HPOVApplianceTrustedCertificate

My question is how to replace this Server Certificate in OneView by using powershell.

I am using:

HPEiLOCmdlets

Name          Version
----          -------
HPEiLOCmdlets 2.1.0.0

OneView:

oneview01        LibraryVersion Path                                                                   
----------------------------        -------------- ----                                                                   
ApplianceVersion: 4.10.01.348545.00 4.10.1802.1882 C:\Program Files\WindowsPowerShell\Modules\HPOneView.410\4.10.1802.1882

 

 

3 REPLIES 3
BhaskarV
Trusted Contributor

Re: Powershell - replace Server certificate in OneView

Hi @Adis_S

Why the server refresh continues to work is - 
The iLOs can be trusted if
1. a copy of the certificates on them is present in the appliance trust store (this applies when there are self-signed certificates on the iLOs), or,
2. if the Root CA that has signed the iLO certificates is present in the appliance trust store. (this applies when there are CA Isigned certificates on the iLOs).

In your case, as you have stated, the newly generated CA signed certificates have taken effect on the iLOs.
Even though the self-signed certificates for the iLOs have not been deleted from the appliance trust store, the "AD server CA" that you used to sign the iLO's certificates is probably uploaded to the appliance trust store.
These iLOs are now being trusted by OneView using the Root CA that is in the appliance trust store.

All you probably need to do at this point is to delete the "self-signed" certificates for the iLOs from the appliance.
Using REST API to DELETE /rest/certificates/servers/<server uuid alias for the iLO>
POSH for HPE OneView has the powershell cmd let to do that.

Let me know if this answers your question.

Regards,
Bhaskar Vasudevan


I am an HPE employee

Accept or Kudo

BhaskarV
Trusted Contributor

Re: Powershell - replace Server certificate in OneView

Also, you may want to delete the self-signed certificates from the appliance trust store only for those iLOs whose certificates have been updated with a CA signed certificate.. Until you have replaced the self-signed certificates on iLOs with a CA signed certificate, the appliance  needs the self-signed certificate to be able to trust such iLOs.


I am an HPE employee

Accept or Kudo

Adis_S
Advisor

Re: Powershell - replace Server certificate in OneView

@BhaskarV

Thank you for your replay, that about "The iLOs can be trusted if" was new tome, at least the information about Root CA. I just removed the trusted certificate from the appliance trusted certificate store and refresh of the Host information in oneview is still working.

the following command will give you error but seems that it does not impact trust between the oneview and server.

Get-HPOVServer -ServerName serverfqnd | Get-HPOVApplianceTrustedCertificate
Get-HPOVApplianceTrustedCertificate : The specified '' trusted SSL certificate resource not found on Appliance 'oneview01'.  Please check the name and try again

 

I used following powershell command to remove the certificate where I double check with Thumbprint that i am deleting right certificate.

Get-HPOVApplianceTrustedCertificate -Name "UsedNameFromGetTrustedCertificated" | Where-Object {$_.Certificate.Thumbprint -eq "XXXXXXXXX"} | Remove-HPOVApplianceTrustedCertificate -WhatIf