HPE Community
HPE OneView
1825934 Members
2939 Online
109689 Solutions
New Discussion

Upload CA Signed OneView Certificate

 
SOLVED
Go to solution
bradawk1
Trusted Contributor

‎08-09-2023 04:10 AM - last edited on ‎08-09-2023 08:57 PM by

‎08-09-2023 04:10 AM - last edited on ‎08-09-2023 08:57 PM by

Upload CA Signed OneView Certificate

I'm having a little trouble with the last part of renewing our OneView appliance server certficate.  I can generate the CSR and submit it to our CA for signature.  I get back the signed certificate in base64 encoded format and paste into <oneview hostname>.cer.

SCRT=<oneview hostname>.cer
# Change the line feeds to '\n':
SCRTN=$(cat ${SCRT} | awk '{ printf "%s\\n", $0 }')
# Add a leading newline:
SCRTN="\n${SCRTN}"
#
# Post to the OneView appliance:
CERTURI=$(curl --insecure --silent \
      --header "content-type: application/json" \
      --header "X-API-Version" ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --data '{ "base64Data":"${SCRTN}" }' \
      --request PUT ${OneView}/rest/certificates/https | jq -r '.uri')
#
# Check the task status:
curl --insecure --silent \
     --header "X-API-Version" ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --request GET ${OneView}${CERTURI} | jq -r '.'
#

It always says the certificate is not a valid X.509 certificate.  The API Reference shows the newlines are replaced with '\n' in the certificate uploaded.  If I upload the certificate via the gui, it works.  So, what am I doing wrong?

0 Kudos
Reply
8 REPLIES 8
ChrisLynch
HPE Pro

‎08-09-2023 09:13 AM

‎08-09-2023 09:13 AM

Re: Upload CA Signed OneView Certificate

As long as you have the base64 value of the certificate in string format, you do replace the EOL with "\n".  Do not forget to include the ending "\n" after the "---END CERTIFICATE---" keyword.

Can you provide an example of the certificate here?  Feel free to replace specific letters to alternate values, or other ways to obscure the text of the body without making it difficult to review the overall format.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-10-2023 02:22 AM

‎08-10-2023 02:22 AM

Re: Upload CA Signed OneView Certificate

Hi Chris,

Those servers are not connected to the Internet.  I'd have to re-type and would most likely make lots of typos anyway.  It is a valid certificate.  If I run:

cat ${SCRT} | openssl x509 -noout -text

I get valid certificate information.  The awk command takes each line, prints it and adds a '\n' at the end.  Since it is a printf function, no automatic line feed is printed.  So, it all winds up on one line with '\n' in place of the line feeds.  The next line (of my code) just adds a '\n' at the begginning.  If I run:

echo ${SCRTN} | wc -l

I get 1 which is what I would expect.  It is one line.

I went back and looked at the Vs 5000 REST API Reference and in the Request Body, base64Data section, it shows format-----BEGIN CERTIFICATE----- encoded data here -----END CERTIFICATE-----.  Which to my reading implies no '\n's at all.  So, I tried it that way.  Still get back not a valid X.509 format. 

 

0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-10-2023 04:22 AM

‎08-10-2023 04:22 AM

Re: Upload CA Signed OneView Certificate

When I downloaded the current certificate from the appliance, it had a single space every where one would expect a newline (or '\n').  So, I tried uploading in that format, but still got the same error.

0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-11-2023 06:16 AM

‎08-11-2023 06:16 AM

Re: Upload CA Signed OneView Certificate

Also, related:  I tested this from four of our OneView appliances.  Downloaded the current server certificate with:

curl --insecure --silent --header "X-API-Version: ${currentVersion}" --header "auth: ${sessionID}" \
   --request GET ${OneView}/rest/certificates/https | jq -r '.base64Data'

and for each one I get two certificates.  One is the one I got signed by our CA.  The other says it is signed by our CA but it has a serial number much shorter than we normally see and the lifetime of the certificate is much longer than we normally get.  Any idea what the second certificate is?  Do I need it?  If not, how do I remove it?  In the gui, how do I see the server certificates downloaded from this REST location?

0 Kudos
Reply
MV3
HPE Pro

‎08-13-2023 09:45 PM

‎08-13-2023 09:45 PM

Re: Upload CA Signed OneView Certificate

Hello,

To delete the cretificates below are the steps.

Log into the OneView User Interface (UI).
Select OneView -> Settings.
Scroll under "Security" and click the "Manage Certificates" link.
Delete the unwanted certificate.
Wait for the deletion(s) to be completed.
Close the UI.

We are not sure about the certificate you are talking about. We would suggest you to review the certificate and then delete it if it is not required.
Cheers...



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
bradawk1
Trusted Contributor

‎08-14-2023 02:22 AM - last edited on ‎08-16-2023 01:50 AM by

‎08-14-2023 02:22 AM - last edited on ‎08-16-2023 01:50 AM by

Re: Upload CA Signed OneView Certificate

@MV3  @ChrisLynch  OK, a few things:

  1. My topic is about using the REST API.  I have two related questions.  If the answer to the second one is to use the GUI, then that is fine.
  2. My most pressing issue is in regards to the appliance server certificate.  I'm trying to upload a signed certifcate using PUT ${OneView}/rest/certificates/https, but it always tells me that the certificate is invalid when I know it is valid.  I've tried changing all of the new lines to '\n' and ' ' and neither worked.
  3. When pulling the current appliance server certificate using GET ${OneView}/rest/certificates/https I get two certificates.  One is valid, the other looks almost valid, but has some discrepancies.  So, trying to figure out what the second one is?
  4. Two things about the gui path you depicted:
    1. I've never seen the appliance certificate in that path.
    2. It only shows the first 100 certificates.  I'm not sure how to see the rest?
    3. I do see the appliance certificate OneView -> Settings -> Security and scroll down to Appliance certificate.  There I only see the current signed certificate, not two.  So, just trying to figure out what is the second certificate; do I need it?; if not, how to get rid of it?
0 Kudos
Reply
bradawk1
Trusted Contributor

‎09-07-2023 06:39 AM - last edited on ‎09-07-2023 11:12 PM by

‎09-07-2023 06:39 AM - last edited on ‎09-07-2023 11:12 PM by

Re: Upload CA Signed OneView Certificate

@ChrisLynch @MV3 Here is an example certificate.  How would the JSON be formatted to upload it?

 

 

{"base64Data":...}
-----BEGIN CERTIFICATE-----
MIIFEDCCBLagAwIBAgIQD1oKDuqLztsPaAHCwdd2cjAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwODIwMDAwMDAwWhcNMjMxMTE4
MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET
MBEGA1UEAxMKbWVkaXVtLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmN
6bdL+wPlikrkF3XNe7TLzPwTG5u6EyFABcu8AURgBjWsuL9q7LsrvMY9WDdJTc3O
Jbx13wqyKn6FA0DrLESjggNcMIIDWDAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF
+tkkEIeWHzAdBgNVHQ4EFgQUfJstVdrm+yFLKIDeNkIkp71B/kIwIwYDVR0RBBww
GoIKbWVkaXVtLmNvbYIMKi5tZWRpdW0uY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYDVR0fBHQwcjA3oDWgM4YxaHR0
cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA3
oDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0ND
QS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRw
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6
Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcnQw
DAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYArfe++nz/
EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKEIHUjgAABAMARzBFAiAJusYm
usT8WdhtcpIzTxF2V8fTAHUJPO+Ei/qhLMWxDgIhANl8UPWVCnJv4X+9QNMGgYDx
gLGfrAXwSsXWOB/oj/nRAHQAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS
61IAAAGKEIHT9AAABAMARTBDAh86EJCJ4tO/3XPee4v2MJTlBj6SB4drOm3k0XWV
zdxeAiACJ48gSLa/YlNJgynpMjhI+UQTdXY9q7nbLgg77YHfCQB3ALc++yTfnE26
dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABihCB0/IAAAQDAEgwRgIhAPWdvDFG
Vm4rBPPFS5Hy8ozItrQZ8XGwrPIHKkQZ+ID0AiEAnq1e22khS+2dubbMpunr95Hx
3eeINIJQHANMJ9sFBkcwCgYIKoZIzj0EAwIDSAAwRQIgZBgqdHAa5+TdP+Dq3dBb
bZul+threyO+SVaKuj5vWlACIQCCca3F+VMJxo44/bUvN3OavgvwAdmQ0GfWuaNz
IRTi3A==
-----END CERTIFICATE-----

 

If I am reading the documentation correctly, it should look like:

 

{"base64Data":"\n-----BEGIN CERTIFICATE-----\nMIIFEDCCBLagAwIBAgIQD1oKDuqLztsPaAHCwdd2cjAKBggqhkjOPQQDAjBKMQsw\nCQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX\nQ2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwODIwMDAwMDAwWhcNMjMxMTE4\nMjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG\nA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjET\nMBEGA1UEAxMKbWVkaXVtLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmN\n6bdL+wPlikrkF3XNe7TLzPwTG5u6EyFABcu8AURgBjWsuL9q7LsrvMY9WDdJTc3O\nJbx13wqyKn6FA0DrLESjggNcMIIDWDAfBgNVHSMEGDAWgBSlzjfq67B1DpRniLRF\n+tkkEIeWHzAdBgNVHQ4EFgQUfJstVdrm+yFLKIDeNkIkp71B/kIwIwYDVR0RBBww\nGoIKbWVkaXVtLmNvbYIMKi5tZWRpdW0uY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNV\nHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwewYDVR0fBHQwcjA3oDWgM4YxaHR0\ncDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0NDQS0zLmNybDA3\noDWgM4YxaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0Nsb3VkZmxhcmVJbmNFQ0ND\nQS0zLmNybDA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcGCCsGAQUFBwIBFhtodHRw\nOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUF\nBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6\nLy9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcnQw\nDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYArfe++nz/\nEMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooAAAGKEIHUjgAABAMARzBFAiAJusYm\nusT8WdhtcpIzTxF2V8fTAHUJPO+Ei/qhLMWxDgIhANl8UPWVCnJv4X+9QNMGgYDx\ngLGfrAXwSsXWOB/oj/nRAHQAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS\n61IAAAGKEIHT9AAABAMARTBDAh86EJCJ4tO/3XPee4v2MJTlBj6SB4drOm3k0XWV\nzdxeAiACJ48gSLa/YlNJgynpMjhI+UQTdXY9q7nbLgg77YHfCQB3ALc++yTfnE26\ndfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABihCB0/IAAAQDAEgwRgIhAPWdvDFG\nVm4rBPPFS5Hy8ozItrQZ8XGwrPIHKkQZ+ID0AiEAnq1e22khS+2dubbMpunr95Hx\n3eeINIJQHANMJ9sFBkcwCgYIKoZIzj0EAwIDSAAwRQIgZBgqdHAa5+TdP+Dq3dBb\nbZul+threyO+SVaKuj5vWlACIQCCca3F+VMJxo44/bUvN3OavgvwAdmQ0GfWuaNz\nIRTi3A==\n-----END CERTIFICATE-----\n"}

 

but that does not work.  I've tried without the leading and trailing '\n' but that also does not work.

 

0 Kudos
Reply
bradawk1
Trusted Contributor

‎09-08-2023 03:12 AM

‎09-08-2023 03:12 AM

Solution

Re: Upload CA Signed OneView Certificate

I figured it out.  In my original code, I had specified the data portion of the curl command as:

--data '{ "base64Data":"${SCRTN}" }'

when I put that value in a variable and then just sent the variable:

SCRT=<oneview hostname>.cer
# Change the line feeds to '\n':
SCRTN=$(cat ${SCRT} | awk '{ printf "%s\\n", $0 }')
# Add leading '\n':
SCRTN="\\n${SCRTN}"
#
DATA='{ "base64Data":"${SCRTN}" }'
#
# Post to the OneView appliance:
CERTURI=$(curl --insecure --silent \
      --header "content-type: application/json" \
      --header "X-API-Version" ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --data "${DATA}" \
      --request PUT ${OneView}/rest/certificates/https | jq -r '.uri')
#
# Check the task status:
curl --insecure --silent \
     --header "X-API-Version" ${currentVersion}" \
      --header "auth: ${sessionID}" \
      --request GET ${OneView}${CERTURI} | jq -r '.'
#

It worked.  Not sure why that would make a difference?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.