Importing SSL Certificate AND Private Key?

alexs77 · ‎01-30-2017

Hello

We'd like to install proper (ie. signed by a normal CA) SSL certificates on our iLO 2, iLO 3 and iLO 4 systems. As there's a larger number of systems, we'd like to install a wildcard certificate, eg. *.ilo.company.fyi.

To do so, we'd also need to import the SSL private key on the iLO systems. How can I do that? The web interface just talks about importing a certificate and probably assumes, that the key is generated on the system when clicking "Create Certificate Request".

Any ideas?

Thanks a lot,

Alexander

Jimmy Vance · ‎01-30-2017

If you follow this link you should see iLO documentation. Look at theuser guide and the security brief for information about creating and importing SSL certificates

http://h17007.www1.hpe.com/us/en/enterprise/servers/solutions/info-library/index.aspx?cat=HP_iLO_4#.WI9WsU0zXDB

No support by private messages. Please ask the forum!

alexs77 · ‎01-30-2017

Hello Jimmy

Hm, neither in the Security Technology Brief nor in the User Guide, I can find information on how I can import a key.

Can you please be more specific?

Thanks,

Alexander

Jimmy Vance · ‎01-30-2017

The information starts on page 74 of the users guide and page 20 of the technology brief

No support by private messages. Please ask the forum!

alexs77 · ‎01-30-2017

Hi

Pardon, but where on page 20 of the brief does the documentation discuss how a private key can be imported? I'm just not finding it.

Again, could you be so kind and be even more specific?

Thanks
Alexander

alexs77 · ‎01-30-2017

hello again

I've just re-read pages 74-77 of the user guide, and I really don't find anything there, which relates to my specific question.

Can you please help?

Thanks a lot

Alexander

Jimmy Vance · ‎01-30-2017

What I've pointed you to is how certificates can be installed in iLO. I don't think there is a way to install a private key.

No support by private messages. Please ask the forum!

alexs77 · ‎01-30-2017

Hello

Ah, okay. But honestly, that was a tremendously complicated way of saying "I don't know" and/or "HPE equipment doesn't support customers who need this functionality", don't you think? :-)

All this RTFM, for nothing ;-)

Regards
Alexander

Jimmy Vance · ‎01-30-2017

Sorry, I quickly glanced at your original message and thought you were asking how to import a certificate as that question comes up often.

No support by private messages. Please ask the forum!

Dennis Handly · ‎01-30-2017

Importing a private key isn't secure. Usually you generate a CSR and get it signed and then import that.

alexs77 · ‎01-30-2017

@Jimmy Vance wrote:
Sorry, I quickly glanced at your original message and thought you were asking how to import a certificate as that question comes up often.

Yeah, I somehow had the impression, that hadn't fully read my original post :)

Cheers,

Alexander

alexs77 · ‎01-30-2017

@Dennis Handly wrote:
Importing a private key isn't secure. Usually you generate a CSR and get it signed and then import that.

Uh? Why shouldn't it be secure? Usually, for all the web-, mail- and whatnot-servers, we generate CSRs on trusted systems (or on the system itself) and then install the certificate + key + intermediate cert(s) on the target system(s).

I'd really like to know,why you think, that this is NOT secure.

Could you please expand on that?

Thanks a lot,

Alexander

Dennis Handly · ‎02-04-2017

>Why shouldn't it be secure? ... and then install the certificate + key + intermediate cert(s) on the target system(s).

Because the key leaves one host and is installed in another. Someone could hijack it. And all your systems have the same key.

I deal with secure devices and it is a big selling point (FIPS requirement) to say that the key NEVER leaves the device.

jwilczek · ‎03-21-2018

I have an identical problem - did you solve yours?
I have a * .domain.com certificate and would like to upload it to ILO4

--
Jacek

dmemenza · ‎06-04-2018

Hi,

I know this is a pretty old thread, but I need help with this exact process (importing certificates to iLO). I need to do this for multiple iLO devices at a time. I've been working on the "Generating CSR" script that comes packaged with HPE's iLO Powershell package and got it pretty much completed. Next steps are to import the signed certs (3rd party) into each iLO device. Any suggestions/recommendations on how to do that, would certainly be very much helpful. Appreciate the help in advance.

Thanks,

- DM

GokulKS · ‎06-05-2018

Hi,

Definately its possible with PS cmdlets of iLO.

Below are the complete steps for generate and import of certificates :

Four steps are involved in this use-case:

1)Generate the certificate – Start-HPEiLOCertificateSigningRequest

2)Get the certificate – Get-HPEiLOCertificateSigningRequest

3)Sign the CSR using any third-party CA – No cmdlet as its done by third-party

4) Import the certificate - Import-HPEiLOCertificate

And below is the example of how importing of certificate can be done.

PS C:\> $cert = @"
-----BEGIN CERTIFICATE-----
ASampleCertificateAAALftnNE12JR8T8XQqyzqc1tt6FLFRXLRM5PJpOf/IG4hN45
pNdJAhTC8O2505PzkGLf5qhrbDnusclCvoH7DuxyHjeOUVxbC5wFQBcGF4VnpYZ8nGQ
Gt9TQ0iUV+NRwn4CR5ESoi63zTJIvKIYZDT2ISeXhF2iU6txjZzdeEm7vQz3slaY3dg
AAAIAQ46i6FBzJAYXziF/qmWMt4y6SlylOQDAsxPKk7rpxegv8RlTeon/aeL7ojb9GQ
2xnEN5gobaNZxKz2d4/jwg3+qgTDT6V1G+b7+nEI/XHIc717/7oqgiOv4VE3WxN+HE9
JWsv2jwUpAzRGqJOoojRG/CCru0K+jgTOf/di1o0sw
-----END CERTIFICATE-----
"@

PS C:\> $connection = Connect-HPEiLO 10.20.30.40,10.20.30.41 -Username admin -Password admin123

PS C:\> Import-HPEiLOCertificate -Connection $connection -Certificate $cert

I am a HPE Employee

PhS- · ‎06-07-2018

GokuIKS, I like your instructions ... have you actually tested it ? with HPEiLOCmdlets 2.0.0.0 ? And a bit of customization (like City, State, Country, Organization etc ) ?

Because our finding is that :

Start-HPEiLOCertificateSigningRequest

does not use the value of ‘-City', regardless of how you specify it. Should place it into '<CSR_Locality>' inside the XML it sends, but there's no such field in the raw request being sent.

Get-HPEiLOCertificateSigningRequest

resubmits new CSR generation with default parameters. It does not simply retrieve the previously generated CSR (with parameters specified by 'Start-HPEiLOCertificateSigningRequest').

So I am curious who's really testing these PowerShell cmdlet ?

GokulKS · ‎06-10-2018

Hi,

As I mentioned in other posts both of them are bugs and we are working towards fixing it.

This issue happens only on Gen8\9 systems but Gen10 works as expected.

Thanks,

Gokul

I am a HPE Employee

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Importing SSL Certificate AND Private Key?

Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

Re: Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

Re: Importing a private key isn't secure? (was: Importing SSL Certificate AND Private Key?)

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?

Re: Importing SSL Certificate AND Private Key?