Active Directory CA certificates for HPE iLO

I’ve recently replaced my servers with some nice HPE ProLiants with iLO 4 Advanced. One of the first steps I wanted to get sorted was replacing the self-signed SSL certificates so I don’t have to sit through the warning messages every time I open the web interface. I’ve already got an Active Directory Certification Authority set up so thought I’d use that, given that the root CA certificate is already installed and trusted on all devices.

So first step, once you’ve got into iLO (the IP address is shown when the server boots, the default username/password are on a sticker or tag on the server chassis – the G8 and G9 kit has a pull-out tag at the front), is to set the host name of the system – go to Network -> iLO Dedicated Network Port, then onto the General tab to set the host and domain name.

Assuming you’ve already set a static IP (or are happy using DHCP, perhaps with a reservation, that you’ve already set that up), and assuming you’ve already set up the DNS record to point at the host, we can go on to the SSL certificate.

Next step is go to Administration -> Security and then onto the SSL tab, and click Customise Certificate. Enter the appropriate details and click on Generate CSR.

You’ll want to keep this page open for a few minutes – it says it will take up to 10 minutes but where I’ve done it the wait has only been a few minutes. Hit Generate CSR again and it will show you the certificate signing request. You will then need to copy this and paste into notepad, and save as something like ilo.csr.

Unfortunately you can’t just request a certificate from this template in the Certificate Authority snap-in – you’ll get this error because the request does not include any template details:

The request contains no certificate template information 0x80094801 CERTSRV_E_NO_CERT_TYPE

If you have the web enrolment section of Certificate Services installed you can do this in the browser – I don’t have this installed so will do it through the command line:

certreq -attrib "CertificateTemplate:WebServer" c:\ilo.csr

If your Active Directory setup has multiple CAs you will be asked which you want to use, then you will be asked where you want to save the certificate to. I’ve just put it in the same folder the CSR was in, named ilo.crt. Open this in notepad and copy the contents.

Now back in the iLO SSL page ,click on Import Certificate and paste your certificate into the box. Click on Import and iLO will reset with the new settings.

You will probably need to close/reopen the browser or clear the cache for it to notice the new certificate.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.