HPE Community
Server Management - Remote Server Management
1820271 Members
3426 Online
109622 Solutions
New Discussion

iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own CA?

 
ay_jay
Advisor

‎02-04-2020 09:05 AM

‎02-04-2020 09:05 AM

iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own CA?

I see the option to generate a CSR, and another to import a certificate, but we have our own trusted CA who generate certificates and we typically create certificate bundles with the root and intermediate.  We need to add certificates to our iLO 5 hosts and the certs with their respective keys have already been generated.  How do I upload them to iLO?  Is there a step by step guide for this, and will this be disreuptive to the server/ESXi traffic?

2 people had this problem.
0 Kudos
Reply
17 REPLIES 17
Torsten.
Acclaimed Contributor

‎02-04-2020 10:30 AM

‎02-04-2020 10:30 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

ILO user guide has all the steps.

 

Importing a trusted certificate
Prerequisites
Configure iLO Settings privilege
Procedure
1. Click Security in the navigation tree, and then click the SSL Certificate tab.
2. Click Customize Certificate.
3. Click Import Certificate.
4. In the Import Certificate window, paste the certificate into the text box, and then click Import.
iLO prompts you to confirm the request and reset iLO.
5. Click Yes, apply and reset.
iLO imports the certificate, and then resets


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
auscop
Occasional Visitor

‎09-27-2020 06:45 PM

‎09-27-2020 06:45 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

This does not answer the OP question. He is asking can an already generated key be uploaded. So the private key would need to be replaced as well so it matches the public key. I have the same issue, I have over 1000 iLO4 and iLO5 interfaces. I have a wildcard certificate generated from our CA. I need to be able to upload it plus the matchng private key in to iLO. It is not practical to have to manually generate over 1000 CSRs, and have them submitted to our CA to create over 1000 different public keys. Can this be done?

Reply
Grimy
Occasional Visitor

‎10-29-2020 04:39 PM

‎10-29-2020 04:39 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Hi mate, any luck with this?

I attempted to paste in a combined -----BEGIN PRIVATE KEY----------BEGIN CERTIFICATE----- via the gui but no deal.  About to try the commandline route....I've got aboutttt 550 servers to sort

0 Kudos
Reply
auscop
Occasional Visitor

‎10-29-2020 05:47 PM

‎10-29-2020 05:47 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Sorry Mate, no luck. Have have not tried much after I posted. By what I can tell it is not possible without some type of hackery. I don't see anyway to access the private key in the normal manner. Using ssh straight to the iLO I looked everywhere for a private key and couldn't find it. Even if it was viewable then I would not know how to write over it.  I have tried messing with hponcfg and hpilo_cli tools and neither will accept private key as a variable.  My guess the lack of response from HP to my post means they don't want to admit it is not possible at the moment. Why developers would think we would be happy to create 100's or 1000's of separate private/public key pairs makes zero sense. And given all my servers have zero internet access doesn't help. 

0 Kudos
Reply
SanjeevGoyal
HPE Pro

‎11-03-2020 11:48 PM - last edited on ‎07-12-2023 08:03 AM by

‎11-03-2020 11:48 PM - last edited on ‎07-12-2023 08:03 AM by

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Hello,

You can refer user guide as well : https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00105236en_us 

Symptom

User authentication fails when iLO is configured to use Active Directory.

 Cause

There is a certificate problem:

  • An SSL certificate is not installed on the Active Directory server.
  • An old SSL certificate on the Active Directory server points to a previously trusted CA with the same

name as the CA in the current certificate. This situation might happen if a certificate service is added

and removed, and then added again.

You can verify this cause by checking the SSL Connection test results on the Directory Tests page.

 Action

  1. Open the MMC.
  2. Add the certificates snap-in.
  3. When prompted, select Computer Account for the type of certificates you want to view.
  4. To return to the Certificates snap-in, click OK.
  5. Select the Personal > Certificates folder.
  6. Right-click the folder and select Request New Certificate.
  7. Verify that the Type is domain controller, and click Next until a certificate is issued.

Connect using SSL test reports a failure

Symptom

The Connect using SSL test reports the status Failed.

Cause

The SSL handshake and negotiation between iLO and the directory server were unsuccessful.

Action

  • Enable the directory server for SSL negotiations.
  • If you are using Microsoft Active Directory, verify that Active Directory Certificate Services is installed.

Please feel free to contact me if you have any further questions or concerns.

If you feel this was helpful please click the KUDOS! thumb below!   

Regards,

[Moderator edit: Updated the broken link.]


I am a HPE Employee.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
0 Kudos
Reply
scottwichall
Occasional Visitor

‎11-17-2020 07:38 AM

‎11-17-2020 07:38 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

This post is completely irrelevant.

We wish to know how to upload our own certificates and private keys to iLo so we dont have to generate potentially thousands of certificate requests (for those with big estates)

Funny how your biggest competitor can manage this with a 3 simple RACADM commands isn't it.

0 Kudos
Reply
Grimy
Occasional Visitor

‎11-17-2020 03:40 PM

‎11-17-2020 03:40 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

True that  

0 Kudos
Reply
Tono11
Occasional Visitor

‎04-14-2021 08:58 AM

‎04-14-2021 08:58 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

As appointed, completly unuseful answer.

I have the same problem. I cannot generate the certificate from a crt made in the ILO server. I need change the certificate AND de private key. My company doesn't give me a certificate if I don't generate the private key myself.

Please let us know how to change the private key AND the certificate.

0 Kudos
Reply
Adis_S
Advisor

‎04-16-2021 01:51 AM

‎04-16-2021 01:51 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

As far I know, it is not possible to upload Private Key to iLO5 (or older). We have an two feature requests ongoing, one for this issue, and one for CSR request over iLO or PowerShell iLO cmdlets to add EMail Attribute. If more ppl requests this over their HPE Contacts, maybe this would be implemented in future.

Also some information which we find as wrong in Documentation and are now fixed:
* iLO4 have the limit of 3k for Certificates  3k Limit <- not posible to extend because of Hardware limitation
* iLO5 have 16k limit for Certificate <- so here could be posible to store private key and certificate to.

 

As workaround to your problem, you could use PowerShell and iLO cmdlets to do bulk CRS requests and then also to automate sending to internal CA for signing with certreq.exe and also for retrieve.

0 Kudos
Reply
EliteX2Owner
Advisor

‎04-16-2021 06:18 AM

‎04-16-2021 06:18 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Yep just a +1 here.  We've recently begun to deploy HPE boxes in scenarios where we need high clock rate chips our normal Cisco UCS doesn't have.  We then of course ran smack into this issue when trying to determine how to deploy our public CA-issued wildcard cert that we use for infrastructure.  Since we use public CA certs, AND these systems do not have internet connectivity, we're faced with the choice of what will be an absolute nightmare trying to order/issue/install a unique paid (i.e. $$) cert on every single server vs just pushing our wildcard in, or, downgrade the security on our management systems by instructing them to not validate certs.  No, we don't use an internal Windows CA, we have no Windows in our environment, nor do we want to deploy a private CA and then worry about getting every other internal system to trust it.

0 Kudos
Reply
Tono11
Occasional Visitor

‎04-20-2021 02:09 AM

‎04-20-2021 02:09 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

Well, in my case we have 2 options:

1.- Create ourselves the private key and generate the certificate request. The company CA process it and give us the certificate.

2. We make the crs with the following constrains:

  1. Make a local copy of openssl.cnf and append the following lines to it:
    [req]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = host1.mycompany.com
  2. Run this command:
    openssl req -new -subj "/CN=host1.mycompany.com" -out newcsr.csr -nodes -sha512 -newkey rsa:2048 -config openssl.cnf

The newcsr.csr file will contain the certificate request. We can upload the file or paste its contents in the textbox provided by our CA, including the header (---BEGIN CERTIFICATE REQUEST---) and the corresponding footer (---END CERTIFICATE REQUEST---). and they deliver the certificate.

 

The problem is that I cannot generate "exactly" like that in the ILO interface. When I try to left emply all the fields except the CN, ILO doens't let me go further because all the Country, State, etc. fields are emply.

If I fullfill all this information, the CA complains with: "The subject in the certificate signing request must only contain a CN" ...

Well.. completly blocked...

 

Regards.

0 Kudos
Reply
gherardini
Occasional Visitor

‎05-20-2021 02:32 PM

‎05-20-2021 02:32 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by your own

We attempted to upload out own custom certs directly into the iLO..... no luck. we had to create the iLO's own cert request, (FQDN & IP Address) (*.csr) upload into the system generating our custom cert, then take that *.cer and copy and paste the -----BEGIN CERTIFICATE REQUEST-----    to -----END CERTIFICATE REQUEST-----.

Our certificate generation did strip away all the company data and insert its own. When the iLO imported the cert it properly displayed all the correct data for our organization entries.

0 Kudos
Reply
mmad
Occasional Visitor

‎08-09-2021 04:51 AM

‎08-09-2021 04:51 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

In ILO 5 I did select Security -> SSL Certificate -> Customize Certificate -> here I did fill the form according to my company details afterwards -> Generate CSR

The trick did this instructions: https://phdops.kblin.org/hp-ilo-ssl-cert.html

This worked perfectly fine for me.

0 Kudos
Reply
Xavier Walker
Advisor

‎10-21-2021 07:30 AM

‎10-21-2021 07:30 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

+100000

We really need to have a way of providing our own private keys and not having to manually create CSRs for every ILO.

It's also an issue when internal CAs don't normally provide certificates via CSR and provide directly a private key + certificate. I'm currently in this position so cannot actually install any certificate that's provided/approved by my internal CA.

Reply
GrahamCranstoun
Occasional Visitor

‎11-09-2022 03:56 AM

‎11-09-2022 03:56 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

Hi

Did anyone get to the final answer on this to whetehr or not you can import a wilcard cert into the iLO.

Currently I am on iLO5 (Version 2.72)

Apologies if I have missed the answer to this.

Thanks in advance

G

0 Kudos
Reply
EliteX2Owner
Advisor

‎11-09-2022 04:38 AM - edited ‎11-09-2022 04:38 AM

‎11-09-2022 04:38 AM - edited ‎11-09-2022 04:38 AM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

You can't import any key/cert combo, let alone a wildcard.  It sucks.

0 Kudos
Reply
Adis_S
Advisor

‎01-31-2023 11:29 PM

‎01-31-2023 11:29 PM

Re: iLO 5 Custom SSL Certificate - Is it possible to load certificate and key generated by

it should be posible with new iLO 5 2.78 (December 2022) via Redfish

iLO 5 Redfish API Reference document (hewlettpackard.github.io)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.