Jump to content
RESET Forums (homeservershow.com)

HP iLO & SSL Certificate Import


evakq8r
 Share

Recommended Posts

Hello,

 

I've recently purchased an SSL certificate I'd like to use to import into iLO, but having a hard time getting iLO to accept it. Keeps erroring for:

 

Error: The Certificate could not be imported from the supplied X.509 Certificate data.
 
Verify the following: 
- The input text was base64-encoded X.509 certificate data.
- The provided certificate data was intended for this server (not another server).
 
My iLO is currently the latest available AFAIK (iLO4 v2.50 | 23 Sept 2016 - Installed off the latest SPP)
 
I know the certificate works as I've used the same one in a different application (for testing purposes) with no issues. I've tried importing it from a .pem, .p7b, .pfx, .crt and .cer format (all in X.509 format), no dice.
 
Googling the issue came up with several hit and miss articles indicating iLO doesn't appear to accept a cert either over a certain size or that is 2048 bits in length (for iLO 1 & 2). Given 2048 bit cert/keys are/should be the norm these days (higher the better, obviously), to me it's odd iLO doesn't accept them.
 
Has anyone had any success installing a third party iLO cert? I know it's possible to generate a new CSR by filling in the fields and sending it to StartSSL (for example) to sign, then install that way... but that's effectively another self-signed certificate which I'd rather avoid.
Link to comment
Share on other sites

  • 11 months later...
On 22/01/2017 at 10:22 AM, evakq8r said:

..................................

 
My iLO is currently the latest available AFAIK (iLO4 v2.50 | 23 Sept 2016 - Installed off the latest SPP)
 

 

I have no idea why you have problems with the certificate, but your iLO is not the latest. The latest one is v2.55

Link to comment
Share on other sites

1 hour ago, netware5 said:

I have no idea why you have problems with the certificate, but your iLO is not the latest. The latest one is v2.55

 

Check the thread start date ;)

 

On ‎22‎.‎01‎.‎2017 at 10:22 AM, evakq8r said:

I know it's possible to generate a new CSR by filling in the fields and sending it to StartSSL (for example) to sign, then install that way... but that's effectively another self-signed certificate which I'd rather avoid.

 

Um... if you send the CSR off to a CA to sign, then it's the exact opposite of a self-signed certificate.

 

If you just tried importing a random certificate, then iLO is probably complaining because it doesn't have the corresponding private key, which is generated together with the CSR. From what I can see, there's no way to import both the cert and the private key to iLO.

Link to comment
Share on other sites

  • 3 weeks later...

Hello for everyone!

 

I've just install LetsEncrypt certificates and this is my small instruction (under Linux):

  1. First of all, your must setup the host name and domain in "Network General Settings" - this is very important because it is yours Common Name (CN).
  2. Now, with entered names your can create Certificate Signing Request - simple text file with base64-encoded data:
    • If your don't want use automatic renew of certificate, you can manually generate CSR with button "Generate a CSR" into "SSL Certificate Customization"
    • Another way, use "python-hpilo" - shell scripts for iLO automation. Following command will helps to your: 
      sudo hpilo_cli -l ADMIN_LOGIN -p ADMIN_PASSWORD localhost certificate_signing_request country= state= locality= organization= organizational_unit= common_name=FULL_DOMAIN_NAME

      First execute of this command will return 10 minutes waiting message (as is in iLO). Second execution will output generated CSR, that you should store to new file, for example "cert.csr"

  3. With generated CSR your can make request to Certificate Authority (CA) - LetsEncrypt in this case. I've use for this Certbot utility. Full description and options of utility your can find in documentation. Following simple command do request to LetsEncrypt with confirmation by running webserver.

    sudo certbot certonly --webroot -w /var/www/html --csr cert.csr

    After execution, in folder will be created few pem-files - certificate itself (cert.pem) and additional parts. 

  4. After obtain certificate, your can import it into iLO, and this have two ways:

    • Manually. Just copy content of cert.pem into import field on page "SSL Certificate Customization" - this operation yous should repeat where certificate will expire

    • Automatically. With helps python-hpilo, your can import obatined certificate into iLO:

      sudo hpilo_cli -l ADMIN_LOGIN -p ADMIN_PASSWORD localhost import_certificate certificate="$(cat 0000_cert.pem)"

      In this case, your can make crontab rule with renew certificates and imports it.

  5. When certificate successfully imported, iLO restarts and your can check SSL information

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...