Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel

Installing a certificate signing by our own CA

Highlighted
Telematica
New Member.

Installing a certificate signing by our own CA

Hello,

I am trying to install a certificate in our blade servers' iLO (Advanced 1.92). I have tried some methods, but none of them suceeded.

First I tried to request a certificate from iLO web interface. The request seems correct, but we can't sign it because the country of the request is US and our CA's country is ES.

So I tried to import a certificate directly signed by our CA (we create the request and sign it). But I got the error:

"The Certificate could not be imported from the supplied X.509 Certificate data.

The Common name on the certificate does not match the DNS name of Integrated Lights-Out. Make sure that the X.509 Certificate data was intended for this Integrated Lights-Out. "

I thought that the problem could be that CN of the certificate was the FQDN, so I tried with a certificate with just the hostname in the CN, but I got the same error.

Any idea of how could I install a certificate?
4 REPLIES
Evan Woolley
New Member.

Re: Installing a certificate signing by our own CA

I'm having the same issue and can't seem to find any solution. It looks like this has been an issue for a very long time and is due to a bug or very poor design.

We literally have thousands of HP bl and dl servers. We would like to use ssl certs the way they were intended, but this bug in the ilo firmware is preventing us from using ssl correctly.

The CSR should use the FQDN for the common name not just the hostname.
Aaron Devey
New Member.

Re: Installing a certificate signing by our own CA

The Onboard Administrator allows you to specify the Subject for CSRs. Why don't the blade ILOs have the same feature?
jusooo
Contributor.

Re: Installing a certificate signing by our own CA

Hi

 

I'm facing with the same issue, may be even worse - whatever the combination of network settings (host name and domain name) and certificate (common name, shortname/FQDN) I try - I can't import the certificate. I tried the certificate request generated by iLO, I also tried the self-generated request - it just simply doesn't work. Always returning the error:

 

The Certificate could not be imported from the supplied X.509 Certificate data.

The Common name on the certificate does not match the DNS name of Integrated Lights-Out. Make sure that the X.509 Certificate data was intended for this Integrated Lights-Out.  


 

I have no idea on where to move further, all possible options already excercised, so I'm lost, and whole day wasted. Anyone can help please?

jusooo
Contributor.

Re: Installing a certificate signing by our own CA

just may be helpful for someone who faces with the same issue - eventually I made it happen, iLO accepted the certificate signed by my self-signed CA (openssl). The issue was with the CA configuration - not sure what exactly was the reason as I changed two things in the config:

a) the SSL v3 extensions - completely removed this section from the generated certificate

b) changed the order of attributes in the certificate subject (country, state, locality, organization, organization unit, common name, email)

 

But these changes do not corresponde to the error message generated by the iLO certificate import (see the previous post) so it had taken quite a while to find the correct setup, so please be aware that the error description can be missleading in certain cases.

 

take care