Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

ILO doesn't understand Windows 2003 certificate

Highlighted
LinkState
Acclaimed Contributor

ILO doesn't understand Windows 2003 certificate

I have to configure around 80 HP Integrated Lights-Out (iLO) to use Windows 2003 Directory Default Schema. But I cannot make it work.

In Windows 2003 the Domain Controller certificate was replaced by Domain Controller Authentication certificate.
With Domain Controller Authentication certificate for windows 2003, ILO returns the following error

Accepting Directory Server certificate for signed by /DC=ch/DC=xxx/DC=xxx/CN=xxx Enterprise CA 1-b
Unable to establish SSL connection with directory server.
You may need to install a certificate for your server to allow SSL connections.
Consult the iLO User Guide for details.
Ceasing tests.
Some diagnostics FAILED for server xxx.xxx.xxx.ch

With Domain Controller certificate for windows 2000 everything works.

When a Domain Controller Authentication certificate is installed it supersedes the Domain Controller certificate, so I can't keep the old certificate. The new certificate has the old features and also some new, but it doesn't work.
I've read the ILO docs and it's supposed to support Windows 2003.
Have HP envisaged to issue a new firmware supporting Windows 2003 Active Directory, or do you have any solution to the actual problem?
3 REPLIES
RaMpaNTe
Regular Collector

Re: ILO doesn't understand Windows 2003 certificate

Hi, here , you may try this

Resetting the iLO to defaults in the ROM based setup will set the certificate to the iLO self-certified version. The administrator needs to note the settings for the iLO as they will need to be reentered after the reset to defaults. The settings that will need to be reentered include the networking, DHCP, DNS, and Directory information as well as the user account information.

There is also a reset_rib command as part of the CLI that should accomplish the same as the reset to defaults via the ROM based setup.

Alternately, the certificate can be overwritten by generating a request for a certificate on the iLO, submitting the request to a CA to get a certificate and importing the resulting certificate on the iLO. The certificate is specific to the request, so a certificate cannot be reimported.

This is from a Cu advisory you can find at Hp.com
You heve a question... I have an aswer!!!
LinkState
Acclaimed Contributor

Re: ILO doesn't understand Windows 2003 certificate

Thank you for your reply, but I was refering to the DC certificate, so ILO can connect to the DC using ssl.
The ILO certificate already works.
LinkState
Acclaimed Contributor

Re: ILO doesn't understand Windows 2003 certificate

In fact it wasn't a ILO related problem.
Someone had modified the Domain Controller Authentication certificate template and put the minimum key length to 2048, and ILO supports only 1024.
Thanks
LinkState
//Add this to "OnDomLoad" event