HPE Community
MSA Storage
1822545 Members
2924 Online
109642 Solutions
New Discussion

How to enroll SSL certificate from HPE IT authority for HPE MSA product

 
SOLVED
Go to solution
emily-2012
Occasional Advisor

‎02-03-2025 01:47 AM - last edited on ‎02-03-2025 07:35 PM by

‎02-03-2025 01:47 AM - last edited on ‎02-03-2025 07:35 PM by

How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi,

Our HPE MSA (2050&2060) are all working in HPE network environment. I want to request SSL cert from HPEIT instead of Microsoft. Anyone knows the procedure?  

We usually request private SSL cert from this HPE link https://p1lg101029.legacy.iam.hpecorp.net/hp/client/sslPrivateEnroll.php

But for MSA i tried to generated the csr, whose formate is different from the others and the above link doesn't accept it. I also tried to use openssl to genterate csr. but MSA doen't have this command at all. I am wondering how the MSA's web server works. Does it use apache also?

Thanks in advance

Regards.

0 Kudos
Reply
11 REPLIES 11
support_s
System Recommended

‎02-03-2025 02:48 AM

‎02-03-2025 02:48 AM

Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

System recommended content:

1. HPE MSA 1050/2050 CLI Reference Guide

2. HPE MSA 2050 User Guide

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
Sahana_S
HPE Pro

‎02-03-2025 08:40 AM

‎02-03-2025 08:40 AM

Re: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hello @emily-2012 ,

Please refer to this link for creating and importing the certificate signing request, this might help you.

 

Regards, 
Sahana S



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
emily-2012
Occasional Advisor

‎02-04-2025 02:26 AM - last edited on ‎02-04-2025 10:54 PM by

‎02-04-2025 02:26 AM - last edited on ‎02-04-2025 10:54 PM by

Re: How to enroll SSL certificate from HPE IT authority for HPE MSA product

@Sahana_S 

Thanks Sahana,

For MSA 2050 and MSA 2060,  I didn't find the place that can generate CSR and import CA in GUI.

Instead I can use CLI to create CSR. But the CSR fomate is different from the HPE IT required Cert.  

This is the problem I can get SSL cert from HPE SSL certification.

0 Kudos
Reply
emily-2012
Occasional Advisor

‎02-04-2025 02:37 AM

‎02-04-2025 02:37 AM

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Thanks for your reply.

 I can use CLI to create CSR. But the CSR fomate is different from the HPE IT required as below:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

the CSR I generated in MSA is as below: The formate is totally different from the web page for our usual server. Maybe there is another HPE IT place to request cert for storage?

> show Certificate

Certificate Status
------------------
Controller: A
Certificate Status: Customer-supplied
Time Created: 2024-11-06 16:25:17
Certificate Text: Certificate:
Data:
Version: 1 (0x0)
Serial Number:
40:1c:60:e3:30:cf:8c:1c:54:94:8e:e5:b5:ef:d4:c2:0b:73:b4:7c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=TW, ST=TaiPei, L=TaiPei, O=HPE, CN=TPE-MSA-01
Validity
Not Before: Nov 6 16:25:17 2024 GMT
Not After : Nov 4 16:25:17 2034 GMT
Subject: C=TW, ST=xxxx, L=xxx, O=HPE, CN=TPE-MSA-01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a1:fc:d9:e9:3f:0c:ca:e5:e1:19:7a:1c:0c:ec:
0c:de:e2:48:0d:b3:57:bd:be:0e:1b:58:18:20:86:
77:3a:0e:46:6d:d7:af:35:96:7f:71:26:5f:c8:37:
9a:09:1b:2a:67:1e:8c:0e:e7:47:b0:56:d4:9c:4f:
71:ca:30:5c:2a:1d:ca:56:b5:e2:62:ce:b4:cf:fc:
27:98:fe:3d:40:2b:88:11:06:c5:e3:59:c6:1c:e2:
c2:a4:b3:5a:6b:4d:79:aa:d7:15:e9:fb:a4:ed:95:
0c:4c:38:80:4f:54:98:ed:7a:87:0b:f8:0e:d3:59:
80:7a:b1:3c:f5:69:56:4b:5a:9b:9f:84:3c:a9:79:
d4:c7:b8:77:67:49:d7:f2:0b:98:d0:44:1c:6b:10:
52:05:f8:f4:54:6f:93:fa:e6:eb:72:4c:08:55:08:
cf:4c:ca:bd:4f:76:8f:30:99:01:f9:c9:d8:42:05:
8e:de:53:4e:78:99:44:6b:81:23:03:b6:b8:50:34:
43:c6:53:c1:dd:9a:3b:dd:00:aa:0c:68:3a:59:91:
f2:e5:ba:7b:1a:ca:2f:ef:49:31:2d:c3:0b:7b:c6:
4b:2b:65:57:1f:36:94:f1:76:d4:02:97:a3:d9:4a:
b3:e1:49:ab:77:84:3b:e4:f3:ad:3f:37:e1:5a:aa:
d6:3f
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
51:ea:41:a7:b9:34:7a:9f:9c:e7:06:74:4a:db:ee:f9:6d:f8:
df:e4:34:c8:e4:80:7a:62:9a:78:0b:3b:b8:3c:7e:1b:53:d8:
f3:53:19:47:13:59:2f:a3:f9:cc:9d:da:c3:9b:b2:43:74:6c:
9f:dc:65:99:23:90:0c:b5:79:6e:46:be:42:b0:24:5f:8b:3d:
f5:36:9e:84:3a:5c:d2:48:90:d6:3a:7b:72:ee:0a:75:57:d8:
5b:9b:a8:b4:dd:84:bd:92:93:5d:fb:9d:00:59:ea:7e:2a:91:
86:e7:8e:dc:bc:5d:99:40:45:4c:ef:2f:de:8c:6e:15:e2:7b:
46:d8:c1:eb:9e:2a:37:45:bf:a0:9c:34:7d:80:c5:9c:65:30:
bf:6c:b3:29:de:1b:90:04:91:56:f3:35:3f:8f:17:a7:2d:0d:
62:4f:b8:7f:49:0e:ba:cb:ac:32:7d:a2:47:f8:7c:38:fb:7c:
9c:bd:0e:03:f7:8a:45:3a:99:89:fb:34:ff:1a:b0:e4:ca:cc:
10:82:2f:c2:5b:68:b0:e8:25:6a:9c:ae:99:ac:69:4e:e2:73:
0d:97:bd:e1:01:cf:af:f0:f6:bd:91:74:4e:2b:58:c4:81:59:
44:46:28:fc:c7:ce:d3:fb:14:88:fa:8f:d0:34:85:a8:20:92:
c8:d8:00:f7

 

0 Kudos
Reply
JSH-MSA
HPE Pro

‎02-05-2025 12:31 PM

‎02-05-2025 12:31 PM

Solution

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

To create the CSR on the array, use the "create certificate-signing-request" CLI command, and for the subject, specify only the fully qualified domain name (FQDN) for the common name (CN), for example: 

create certificate-signing-request subject /CN=mysystem.americas.hpecorp.net

No other fields are allowed in the subject specification, and the domain must be an HPE-owned domain; click on the CSR guidelines link for more information.

Here's an example:

# create certificate-signing-request subject /CN=Phoenix-B.americas.hpqcorp.net
Management Controller is refreshing stale data. Please wait...
Waiting for system to finish computing health...
------------
Controller B
------------
-----BEGIN CERTIFICATE REQUEST-----
MIIDRDCCAiwCAQAwKTEnMCUGA1UEAwweUGhvZW5peC1CLmFtZXJpY2FzLmhwcWNv
cnAubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMdAPprBD2yi
nPLJjM8CGY52eiuaAMb3qLG2rjKNlQSP90L25mpIXU6/joLEd/03cu05z7jsrl6w
tyBQnN3geOKS0CwAr3hAsI6YzLBm7mbzlQt8hmP9/VYKsWaJviX0zDWKvNDpvQye
L8/gP9tADKCQKTSCfmHLhc+vAs6jyvYCP5t+hCovHqMdgvJqmcNegmGbIqLka1I1
XijNNwcMJ+xIjAs/6Xg7It8CLg8K5L3G+DlZJmm+/V2eaLevYBgUSDhE/dpcIcpk
uAV7lCJCNcK98cBWTwQt0OD0IkdhPBmij21Qh2wAdvZg75AZ3n3pNCn4nzROA6mA
AKkQNxugYwIDAQABoIHVMIHSBgkqhkiG9w0BCQ4xgcQwgcEwEAYKKwYBBAGbfQoC
AQQCDAAwGgYKKwYBBAGbfQoCBgQMDApQNjEwNzAtMDAxMBoGCisGAQQBm30KAgUE
DAwKMk1YNDE0RzQ3MjAbBgorBgEEAZt9CgICBA0MC01TQSAyMDcwIEZDMC4GCisG
AQQBm30KAgcEIAweU1BTLU1TQSAyMDcwIDE2RyBGQyBDb250cm9sbGVyMBsGA1Ud
EQQUMBKCEEhQRTAwQzBGRkZBRkVCQUIwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB
CwUAA4IBAQBJITtTnWOKQLgtDAlfQPqw7LecZu08HtoN/gwblIje9xsNhnXsxxHs
g1M0Cx46bu1pHhUKVVw2CffqVUAIHjRrfF/74XPFwthiYHFyyBMppcEgY9iuS4NP
xpsf2qVPH3lmp3IXg5nP3UHumTMGSLiylc/mwqdo5B/fgo9DLzQHa4+CQkja82gf
pKTbPqm8p1hZctkbJG6JExdafi3aGDWTY7XxhJqgiySqroyuLktw9HXVi4jEeugT
Hd3gp5kMGS4asNPcxdtjIrNAEuDds9zYzTuzxGYofu4Tjg9s5qeRFQ5ptF3pGU6o
JdKO1Z56TaCgf5KAIw9d3cWFNqerwU3g
-----END CERTIFICATE REQUEST-----

Info: Security certificate signing request created for controller B. (2025-02-05 11:42:11)

Success: Command completed successfully. (2025-02-05 11:42:11)
#

Then cut and paste from the BEGIN CERTIFICATE REQUEST to the END CERTIFICATE REQUEST lines, inclusive, into a file and upload it and the root CA certificate into the array. I don't know where to obtain the root CA certificate for Hewlett Packard Enterprise Private SSL CA to load to the array to validate the array certificate just created and signed.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Reply
emily-2012
Occasional Advisor

‎02-05-2025 06:21 PM - last edited on ‎02-07-2025 02:25 AM by

‎02-05-2025 06:21 PM - last edited on ‎02-07-2025 02:25 AM by

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi @JSH-MSA ,

I tried this command on both MSA 2050 and 2060 moduel,  it works on product 2060 only,  it's not recognized command in 2050 MSA CLI. 

Does that mean only 2060 above MSA support this feature? Any solution for older MSA?

HPE MSA Storage MSA 2050 SAN
Version: VL270P008
# create certificate-signing-request
Error: The command was not recognized. (2025-02-06 09:58:03)

The only recognized command is #create certificate, but the output certificate fomat is totally different.

Thanks in advance

0 Kudos
Reply
JSH-MSA
HPE Pro

‎02-07-2025 08:36 AM

‎02-07-2025 08:36 AM

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Sorry, missed the MSA 2050. You are correct, only the MSA 2060 and MSA 2070 support the create certificate-signing-request command. For the MSA 2050, create the private key and CSR using openssl on a Linux system:

$ openssl genrsa -out MSA-Array.key 2048

$ openssl req -new -key MSA-Array.key -out MSA-Array.csr -subj "/CN=MSA-Array.hpqcorp.net'

Remember, the signing service wants only the CN in the subject. Once the CSR is signed into a certificate, upload it and the key used in creating the CSR into the array via SFTP. 

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
0 Kudos
Reply
emily-2012
Occasional Advisor

‎02-13-2025 02:26 AM - last edited on ‎02-14-2025 12:07 AM by

‎02-13-2025 02:26 AM - last edited on ‎02-14-2025 12:07 AM by

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi @JSH-MSA ,

Thanks for reply, I have created 2 files in one linux box.

For msa 2050, Do we need root CA and intermettie CA for MSA SSL cert?

After I have 2 files ( key file and crt file from HPE IT). Where should I put these files in MSA and how to make it take effective?  Just restart mc? I have this problem in 2060 also. 

Thank you!

 

0 Kudos
Reply
JSH-MSA
HPE Pro

‎02-14-2025 08:38 AM

‎02-14-2025 08:38 AM

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi  emily-2012 

The MSA 2050 does not validate the certificate uploaded using a certificate authority, so it doesn't need the root or intermediate CA SSL certificates. 

For the MSA 2050, load the certificate and key via SFTP via the commands "put <certificate-file-name> cert-file" and "put <key-file-name> cert-key-file" then restart the management controller to have the new security certificate take effect. 

For the MSA 2060, you'll need to obtain the root and any intermediate CA certificates involved (it does not have a supply of trusted CAs to use to validate the device certificate), then install the root CA, intermediate CAs, and device certifcate using the SFTP commands "put <certificate-file-name> cert-file:trust" for the root and intermediate CAs, and "put <certificate-file-name> cert-file:usr" for the device certificate. I'd do this in that order - root CA cert first, followed by the chain of intermediate CA certs, ending with the device cert. The array will use the trust certificates to validate the device certificate. After, verfiy the certificate by logging into the array and use the "show certificates" CLI command and ensure that WEB service is checked for the certificate named "usr_cert_<a|b>". Then use the "restart mc full" CLI command to restart the management controller completely.

Each management controller of both the MSA 2050 and MSA 2060 keeps its own trust store certificates, device certificates and keys, so perform all the steps on each controller, uploading the CAs, certificates, and keys and restarting the management controller on one before moving to the next.

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Reply
emily-2012
Occasional Advisor

‎02-17-2025 02:45 AM

‎02-17-2025 02:45 AM

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi HSH-MSA,

I tried to upload files to 2050 by sftp, but encountered below "permission denied",  I change all files owner by root:root and maximum privildge but still the same.

sftp> put MSA*
Uploading MSA-Array1.crt to /MSA-Array1.crt
remote open("/MSA-Array1.crt"): Permission denied

Then I tried ftp, but still failed with write protected. Does that mean I need to do something in MSA?

ftp> put MSA*
local: MSA-Array1.crt remote: MSA-Array1.crt
227 Entering Passive Mode (xx.xx.xx.xx,114)
553 Unable to create file MSA-Array1.crt (write protected)
ftp> pwd
257 "/" is your current location

 

Thanks in advance.

 

 

0 Kudos
Reply
emily-2012
Occasional Advisor

‎02-19-2025 02:36 AM

‎02-19-2025 02:36 AM

Re: Query: How to enroll SSL certificate from HPE IT authority for HPE MSA product

Hi HSH-MSA,

Please ignore my previous issue, I think I didnt sepecify cert-file when sftp or ftp files to MSA.

Now everything looks fine. I have complete the SSL cert implementation on both 2050 and 2060 successfully.

Thanks for your help. Saved me a lot of time.

Regards.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.