Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel

ILo and Active Directory. SSL-Certificate-Problem

Highlighted
Philipp Stummer
Contributor.

ILo and Active Directory. SSL-Certificate-Problem

Hi folks,

I've got a problem in getting my ILO-Boards up and running with AD.
I'm using the HP-Schema and a valid SSL-Certifiacte on my DC (Tested with MS LDP and Internet-Explorer). When I run the "Connection Test" on an ILO-Board the test isn't successfull. The Error-Message is:
"Warning: certificate does not match Directory Server Address "
The certificate IS valid. By the way it's from my own CA (Windows 2003 SP1) which is trusted by the ILO and the DC.

Hopefully anyone can help.

Regrads,
Philipp
7 REPLIES
SteveTWard
Regular Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

Hi
I have a similar issue - Did you ever get an answer
Steve
Philipp Stummer
Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

Hi!

No nobody answered to this issue.
I'm still using iLo with local user accounts.
Maybe it's possible with iLo2?

Regards,
Philipp
SteveTWard
Regular Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

Hi
Thanks for the reply - Even with the error I can still use AD accounts, did you give up when the test failed? (I did, but I was told to ignore this failure)
I think the reason the test fails is because the certificate on the DC (You need one on the DC) is issued to the FQDN of the the DC (in my case) but the certificate on the iLO is issued with out the FQDN as I cant find a way to change the CSR to use the FQDN
Regards
Steve
Philipp Stummer
Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

Hi!

I've given up on this issue.
The FQDN-Thought is true. I saw the same thing. In contrast to you my iLO-Boards and my DC have a certificate that are valid for the FQDN. Only the iLO itself checks for the hostname alone, I think.

Regards,
Philipp
acartes
Acclaimed Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

The test is comparing the subject of the certificate that was received from the directory server with the entire configured directory server name.

For example, if the configured directory name is "ADS1" and the certificate subject is "CN=ads1.corp.net" then this test passes.

Conversely, if the configured directory server name is "ads1.corp.net" and the certificate subject is "CN=ads1" then a warning is generated.

Likewise, if the directory server is configured using IP address, it is unlikely that the cert subject matches.
Christopher Tyl
Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

If you're using AD Cert Services, install the web interface (http://[CertServer]/certsrv).
-Request a new Cert
-Advanced Cert
-From PKCS#10
-Paste in the CSR from the iLO config
-Template: Web Server, Server Auth, or if you know what you're doing you can create a custom template.
-Additional Attributes: "san:dns=[iLO name]&dns=[fqdn]" (ie "san:dns=server1&dns=server1.example.com").
-Submit, approve, etc. Get the cert from the server, open it with Notepad, copy and paste into iLO. Reboot iLO.

I'm still working on how to do with with OpenSSL (for the non-Windows world).
Christopher Tyl
Contributor.

Re: ILo and Active Directory. SSL-Certificate-Problem

One other thing, if you don't have SAN turned on already you have to do so on the Cert server by running these from a command prompt:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc