HP iLO Wildcard SSL using MS Certificate Services?

Question

At the request of higher-up, I need to deploy a SSL Certificate(s) signed by our Active Directory CA to over 100 lights-out interfaces. Given all these devices have been given a hostname .ilo.my.domain a Wildcard certificate seems to be the way to go.

I've not been able to find any useful instructions on how to do this - Googling just gets me 100s of results for various SSL Resellers.

Does anyone have any experience with MS Cert Services & Wilcard SSL Certificates that they can point me in the right direction with?

Cheers

score 3 · Accepted Answer · answered Nov 04 '09 at 18:02

3

It's possible to use the iLO scripting interfaces to get the certificate request and import the reply. That would be using CPQLOCFG or HPONCFG for the iLO I/O.

If you're a programming sort, there's a perl version of cpqlocfg that could be used to fetch the request, programmatically submit it to the Microsoft CA, fetch the reply, and update iLO.

answered Nov 04 '09 at 18:02

davenpcj

641
5
8

1

Thanks for the reply Daven - Yep, can do that, but the CSR is generated for system name only. This causes hostname mismatches when you need to use a FQDN :) The issue is with HP now with their iLO team who hopefully will correct the CSR generation to be FQDN in an upcoming firmware release :) – Ben Short Nov 05 '09 at 10:09
@Ben - iLO 3 certificate requests include subject alternative names for the FQDN, and the CN defaults to the FQDN, so that should work for you now. – davenpcj Jul 30 '11 at 23:42
Thanks Daven - in time, HP finally got their firmware set up so I could successfully sign certificates in a subdomain at which point I could write a script to do do a batch update. The script is located on my blog (http://practicaladmin.wordpress.com). Given this was the solution, I'll mark you as having the answer :) – Ben Short Aug 08 '11 at 04:11

Sim · Answer 2 · 2009-11-02T12:43:52.333

2

The real problem you have is that you need to get the HP iLO to issue a wildcard certificate request in the first place. From my quick searching of the HP IT Resource Center this doesn't appear possible.

What I did find however was a great post at The Lazy Admin - Using Certificates with Compaq/HP RILOE and ILO Hardware which step-by-step walks you through the process of requesting a HP iLO cert against a MS Certificate Authority.

With respect to SSL wildcards in general have a read of Publishing Multiple Web Sites Using a Wildcard Certificate in ISA Server 2004 though focussed on ISA it explains what needs to happen with respect to the request.

edited Nov 02 '09 at 12:43

answered Nov 02 '09 at 12:37

Sim

1,858
2
17
17

iLO does not issue wildcard certificate requests. – davenpcj Nov 04 '09 at 17:59
Well not at the moment it doesn't. Maybe Chage can get HP to introduce that functionality as per his comment. – Sim Nov 06 '09 at 01:42

score 0 · Answer 3 · answered Nov 24 '20 at 12:39

Can you please advise a line (and location in the script) where we can add an Alternative Name in the script. This is expected by Chrome now. Our current certs do not have this and so the script does not add it. Can you please advise Thanks -ActionParsnip

HP iLO Wildcard SSL using MS Certificate Services?

3 Answers3