Server Management - Remote Server Management
cancel
Showing results for 
Search instead for 
Did you mean: 

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

 
Highlighted
Advisor

Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

1) Would it be posible to add SAN parameter to the Start-HPEiLOCertificateSigningRequest ? In most Microsoft CA is the "EDITF_ATTRIBUTESUBJECTALTNAME2" disabled because od (1) , thus it would be better to include this in Certificate request itself. From (1) "All certificate subject information (including SAN) should be included in the original certificate request"

2) Can there be also an parameter to exclude IPv6 from orginal certificate request.

I am using HPEiLOCmdlets 2.1..0.0 and have iLO4 v2.61 and I am doing request with this line

 

Start-HPEiLOCertificateSigningRequest -Connection $connection -City City -CommonName $srvILO -IncludeiLOIP -Country Country -Organization "Organization" -State "State" -OrganizationalUnit IT

 

On (2) there is written "Whenever possible, specify a SAN by using certificate extensions instead of request attributes to avoid enabling EDITF_ATTRIBUTESUBJECTALTNAME2."
How could this be done by uisng HPEiLOCmdlets ?

Reason for this request is because IE 11 (Edge maybe to?) does not trust iLO if accessed over IP even it is included in Certificate. Seems dns=ipaddress need to be added as SAN so that IE 11 can trust it.

DNS Name=esx01-ilo.server.local
IP Address=1XX.XX.XX.XXX
IP Address=fe80:0000:0000:0000:XXXX:XXXX:XXXX:XXXX

 

Edit #1: Also it is an problem that you can acutally not import private key and then the certificate, so there is no way to create request somewhere else which includes all SAN needed.


(1) https://blog.keyfactor.com/hidden-dangers-certificate-subject-alternative-names-sans

* Any custom SAN entries are only supposed to be used on the other Corporate Web Server certificates, but because the EDITF_ATTRIBUTESUBJECTALTNAME2 setting applies to the entire CA, all templates on that CA are affected, and all templates and all resulting certificates are at risk from impersonation attacks.

(2) https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff625722(v%3dws.10)

* Security best practices for allowing SANs in certificates

 

5 REPLIES 5
Highlighted
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Highlighted
Advisor

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

@NareshISS

I am not sure why did you post the Links which does not have anything to do with Certificate Signing Request. Just to post something to have Post count higher, is not very helpful.

 

Highlighted
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Hi,

Currently iLO4/5 does not provide any option to add SAN or ignore IPv6 in either iLO Web GUI or Redfish interfaces.

You need to raise a change request with iLO team. 

Thanks,

Gokul


I am a HPE Employee

Accept or Kudo

Highlighted
HPE Pro

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

Hello,

please logged an HPE case and share the actual images of the issue and AHS report.

 

Regards,

Naresh Sharma


I am an HPE Employee.

Accept or Kudo

Highlighted
Advisor

Re: Add SAN and ignore IPv6 to Start-HPEiLOCertificateSigningRequest

HPE see this not as an Issue but as an Enhancement Request.

Sure I did provide HPE Support with all logs and Images of the Issue.