HPE Community
Server Management - Remote Server Management
1753316 Members
5251 Online
108792 Solutions
New Discussion

Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

 
SOLVED
Go to solution
Oscar A. Perez
Honored Contributor

‎03-29-2017 08:26 AM

‎03-29-2017 08:26 AM

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

Within the next few weeks, we'll release a new iLO4 firmware that will let users choose if they want to include the iLO IP address(es) in the SAN.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Reply
SysAdman
Occasional Visitor

‎02-22-2023 10:29 AM - edited ‎02-22-2023 10:30 AM

‎02-22-2023 10:29 AM - edited ‎02-22-2023 10:30 AM

Re: Anyway to change the Subject Alternative Name on iLo SSL Cert Requests?

This still doesn't explain how to add the shortname to the SAN list when generating a cert. 

I've been playing around with the iLO Powershell cmdlets and as far as I can see the cmdlet only supports the "CN" field using an FQDN.

Is it possible to pass a parameter for the "subjectaltname" field typically used by OpenSSL conf files? 

It looks like the field capabilities don not include the ability to specify the subjectaltname, however, iLO must do this when adding the IP option to the SAN list. 

We want to add the shortname "server-ilo" to the SAN list, along with the FQDN and the IP.

e.g. here's the edited/redacted output of a:

Get-HPEiLOCertificateSigningRequest -Connection $connection -OutputType RawRequest

The Start-HPEiLOCertificateSigningRequest cmdlet doesn't appear to support anything more than the CN field, no subjectaltname option. 

Target: server-ilo.domain.local
URL: https://server-ilo.domain.local/rest/v1/Managers/1/SecurityService/HttpsCert
ContentType: application/json
Response: {"@odata.context":"/redfish/v1/$metadata#Managers/Members/1/SecurityService/HttpsCert$entity","@odata.id":"/redfish/v1/Managers/1/SecurityService/HttpsCert/","@odata.type":"#HpHttpsCert.1.0.0.HpHttpsCert","Actions":{"#HpHttpsCert.GenerateCSR":{"target":"/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpHttpsCert.GenerateCSR/"},"#HpHttpsCert.ImportCertificate":{"target":"/redfish/v1/Managers/1/SecurityService/HttpsCert/Actions/HpHttpsCert.ImportCertificate/"}},"AvailableActions":[{"Action":"GenerateCSR","Capabilities":[{"PropertyName":"City"},{"PropertyName":"CommonName"},{"PropertyName":"Country"},{"PropertyName":"IncludeIP"},{"PropertyName":"OrgName"},{"PropertyName":"OrgUnit"},{"PropertyName":"State"}]},{"Action":"ImportCertificate","Capabilities":[{"PropertyName":"Certificate"}]}],"CertificateSigningRequest":null,"Id":"HttpsCert","Type":"HpHttpsCert.1.0.0","X509CertificateInformation":{"Issuer":"C = GB, O = XXXXX, OU = XXXXXX, CN = XXXXXX","SerialNumber":"XXXXX","Subject":"C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = server-ilo.domain.local","ValidNotAfter":"2026-01-23T10:05:05Z","ValidNotBefore":"2023-01-24T10:05:05Z"},"links":{"self":{"href":"/rest/v1/Managers/1/SecurityService/HttpsCert"}}}

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.