Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL certificate request creating using CLI

Highlighted
michal1
Occasional Contributor

SSL certificate request creating using CLI

Hi!

Model iLO2
Firmware Version 1.81 Jan 15 2010

I have to write script to get certificate request from iLO, sign it in my CA and export signed certificate back to iLO.
Have You maybe any idea how to do it?
What CLI command can I use to get certificate request when I using SSH?
And what CLI command should I use to export signed certificate back to iLO?
8 REPLIES
WFHC-WI
Frequent Visitor

Re: SSL certificate request creating using CLI

Hi michal,

Check page 109 of this document:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c00294268/c00294268.pdf

This scripting method uses XML files along with the HPONCFG utility for Windows or Linux.

michal1
Occasional Contributor

Re: SSL certificate request creating using CLI

Yes, I know about RIBCL, but I looking for any simples solution :)
SamMan
Super Collector

Re: SSL certificate request creating using CLI

I had the same issue and here is how I accomplished this task:
1. using CPQLOCFG I generated a Certificate Request and output to a log file name CertReq.log.
2. I then searched through the CertReq.log file to look for the data between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.
3. I then stored this data into a string and wrote this string into a seperate TXT file name CACertReq.req.
4. Using Microsoft's CERTREQ.EXE I used the following:
CERTREQ.EXE -submit -attrib "CertificateTemplate:myILOTemplate" -config "myCAServerName\Issuing CA Name" C:\TEMP\CACertReq.req C:\TEMP\iLOCert.cer"
5. I then pulled all data from the file iLOCert.cer and stored it to a string variable.
6. I then wrote the .XML file Import_Cert.XML while injecting the string variable in step 5 into the XML file.
7. Using CPQLOCFG.EXE I then imported the certificate via the Import_Cert.XML file.

I wrote this in 2 different languages. First I wrote it is C++ and then I wrote it in AutoItv3. This can be done in just about any language such as VBS, Powershell etc.. I am just more familiar with C++ and AutoItv3 more then the others. I won't post my code as it is very long. But if you can figure out how to perform the steps above then you should be able to automate this process.
michal1
Occasional Contributor

Re: SSL certificate request creating using CLI

Using RIBCL I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to iLo.
I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname.

In certificate request was:
CN = some-iLO-2-Subsystem-Name
OU = ISS
O = Hewlett-Packard Development Company
ST = Texas
C = US

What should i do to connect to ilo without any warnings?
WFHC-WI
Frequent Visitor

Re: SSL certificate request creating using CLI

hi michal,

Are you accessing iLO via:

IP address?
DNS name?
FQDN?

Which method gives you a hostname mismatch?
michal1
Occasional Contributor

Re: SSL certificate request creating using CLI

I'm accessing ilo via IP address.
I didn't add this addresses to my DNS.
I tried to change the iLO 2 Subsystem Name to IP address of iLO, but i got "The iLO 2 Subsystem Name may contain only alphanumeric and '-'"
Is any method to access iLO via IP address without warnings?
michal1
Occasional Contributor

Re: SSL certificate request creating using CLI

I've solved this problem.
I created file ip.ext with:

subjectAltName=IP:10.5.19.191

To sign certificate I used:

openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt > /etc/ssl/ilocert.pem

Everything works well!
//Add this to "OnDomLoad" event