HPE ProLiant iLO SSL Certificate Using Microsoft CA and PowerShell

Introduction

Something that has been on my list for a while to to add SSL certificates to all the various internal apps and management web interfaces so I am not just clicking through the certificate warning in the browser. You can generate the Certificate Signing Request (CSR) from the iLO browser interface but I am going to use the HPE iLO PowerShell cmdlets. I will use an internal Microsoft Certificate Authority to generate the certificate.

Connecting to the iLO

First we need to connect to the iLO. We will create a credential object we will use to authenticate:

# Create the login credential object
$username = "Administrator"
$password = ConvertTo-SecureString -String "Password1" -AsPlainText -Force
$credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $username,$password

Now we can connect to the iLO:

$connection = Connect-HPEiLO -Credential $credential -IP esxi-01-ilo.corp.contoso.com -DisableCertificateAuthentication

Check The Default Certificate

This is easy. Just use the iLO cmdlet Get-HPEiLOSSLCertificateInfo:

Get-HPEiLOSSLCertificateInfo -Connection $connection

Issuer         : CN = iLO Default Issuer (Do not trust), O = Hewlett-Packard Company, OU = ISS, L = Houston, ST = Texas, C = US
SerialNumber   : 0e:06:75:09
Subject        : CN = ILOMXQXXXXXXX, O = Hewlett-Packard Company, OU = ISS, L = Houston, ST = Texas, C = US
ValidNotAfter  : 15/05/2030 23:58:58
ValidNotBefore : 16/05/2015 23:58:58
IP             : 10.10.1.100
Hostname       : esxi-01-ilo.corp.contoso.com
Status         : OK
StatusInfo     :

You can see that the certificate is the default one shipped with the server, so not trusted.

Generating the Certificate Request

Generating the CSR is a two step process. First you need to start a request, wait 10 minutes, then get the CSR.

To start the CSR use the cmdlet Start-HPEiLOCertificateSigningRequest and pass the usual details such as City, Common Name, etc.

Start-HPEiLOCertificateSigningRequest -Connection $connection -City Glasgow -CommonName esxi-01-ilo.corp.contoso.com -Country UK -Organization "Contoso" -State "Lanarkshire" -OrganizationalUnit IT

IP            Hostname                       Status      StatusInfo
--            --------                       ------      ----------
10.10.1.100   esxi-01-ilo.corp.contoso.com   INFORMATION HPE.iLO.Response.StatusInfo

Make sure to use the FQDN of the iLO as the Common Name. The iLO is now generating the CSR. This can take up to 10 minutes so be patient. There is no visual indicator that it has completed. You get the CSR by using the cmdlet Get-HPEiLOCertificateSigningRequest:

Get-HPEiLOCertificateSigningRequest -Connection $connection

CertificateSigningRequest : -----BEGIN CERTIFICATE REQUEST-----
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            YWwxCzAJBgNVBAsMAklUMSMwIQYDVQQKDBpEb3ZlciBQcmVjaXNpb24gQ29tcG9u
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOWJY083oC6l4XqKL6UA
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            WpeG55AqLD7ePrt7Cdtsf+hOKuh+JvwWMJPpjZIUIntqdidj2YN4jtoIKQsGztAB
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            u5ww/ow7QKietrTyx3VW5Eb+Tn8x1FggZkH/Ahz8kUenNNEdSznorp/XFxMzkPiI
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            HwIDAQABoE8wTQYJKoZIhvcNAQkOMUAwPjA8BgNVHREENTAzghlyaWMtZXN4aS0w
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            DQEBCwUAA4IBAQBNOD59Oh/qiJ7zL8oADp5MOdwLR8DR1kKrIvTKKmqMUXz7ziFk
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            WVcvbQ/D4Veaw0tKvcT29MMeFyYQdrbTxrSh/7E6AJFHXH6HPuBEFNRVVuqWD0p0
                            XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                            /hA6rAl+TDL7fdvpWBUav2T/2AuXwywRREC9ZCZ3gV4EtTJqZlAfBU0mrDLFLE6S
                            9EldVlImIlauP6vaJNdF2ucBSoJZR494Vdjv
                            -----END CERTIFICATE REQUEST-----

IP                        : 10.10.1.100
Hostname                  : esxi-01-ilo.corp.contoso.com
Status                    : OK
StatusInfo                :

Copy the CSR text starting at ----- BEGIN CERTIFICATE REQUEST----- and end at -----END CERTIFICATE REQUEST-----. Open a text editor and paste this in and save as a .csr file such as ilo.csr. We now have the CSR file to generate the certificate.

Microsoft Certificate Authority

This assumes you have a CA template called WebServer for signing websites. There are plenty of tutorials available to help if you don’t know how to do this. Open a command prompt with permissions to request and enroll a certificate. Use certreq.exe and define the correct CA Template for websites, the .csr file and an output .pem file that has the certificate:

C:\Windows\System32>certreq.exe -submit -attrib "CertificateTemplate:WebServer" C:\Temp\ilo.csr C:\Temp\ilo.pem

Active Directory Enrollment Policy
  {BC40841F-D87D-42C6-8BE8-7650FB7AAABB}
  ldap:
RequestId: 58665
RequestId: "58665"
Certificate retrieved(Issued) Issued

A dialog box will pop up asking to confirm which CA to use. Choose the correct one and then the file C:\Temp\ilo.pem is generated. This is the issued certificate.

Applying The Certificate

Now we have the certificate returned in the file C:\Temp\ilo.pem. We need to apply it now to the iLO.

First we need to import the certificate string into a variable. Open the .pem file and copy the text into PowerShell as so:

$cert = @"
-----BEGIN CERTIFICATE-----
MIIG+jCCBeKgAwIBAgIKMyLkAQACAADlITANBgkqhkiG9w0BAQsFADCBizELMAkG
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
A3diYzEmMCQGA1UEChMdV2F1a2VzaGEgQmVhcmluZ3MgQ29ycG9yYXRpb24xKDAm
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
MDk1NjQ2WhcNMjAwODEwMDk1NjQ2WjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Q29tcG9uZW50czELMAkGA1UECxMCSVQxIjAgBgNVBAMTGXJpYy1lc3hpLTAyLWls
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TzegLqXheoovpQCL8skk+ZrhjIfEPZPAPYNhpQjfRMnyYVlTsx6xsVeFnSCk7T3Y
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
g3iO2ggpCwbO0AFJlwPe2xzD3A61xBKW4nXxjal7hydHCHaOjhKh/LXOXbc7Ibiu
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Oeiun9cXEzOQ+Ii4ZzbqH1Pbb1eWoUrH7Cwpw7y7ep6OdWVgc6XEQGTfMim+4Ijw
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mi1pbG8ud2JjLmxvY2FshwQKRHNlhxD+gAAAAAAAAO6x1//+iOfCMB0GA1UdDgQW
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7tGr/TR/pjCCAUUGA1UdHwSCATwwggE4MIIBNKCCATCgggEshoHSbGRhcDovLy9D
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Qy1QS0ktRVMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
b2xsL1dhdWtlc2hhJTIwQmVhcmluZ3MlMjBFbnRlcnByaXNlJTIwQ0EoMikuY3Js
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PVdhdWtlc2hhJTIwQmVhcmluZ3MlMjBFbnRlcnByaXNlJTIwQ0EsQ049QUlBLENO
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
YXRpb24sREM9d2JjLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RD
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
V0JDLVBLSS1FUzAxLndiYy5sb2NhbC9DZXJ0RW5yb2xsL1dCQy1QS0ktRVMwMS53
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjALBgNVHQ8E
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
YRH7NC9Sur6kVJ51q0QQ4N9i+yp6vJ+mbTgoRGjNWWg7rk6FIzEJNbs4JPvvKU+F
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
TePZzOPkJpS21TynEdCaZlkQE4z+G+S4LMZCXQVU+WhpIYk36XcotFi278btUaCO
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
e5ekr7P2p0Kan4ovcpB0KfRB6DOhplKb0DYzF0nSKDQddR7oWnWAPH8+namByoDG
tIc1zjDoxIZ9lcg5tDI=
-----END CERTIFICATE-----
"@

We can now import it into the iLO using Import-HPEiLOCertificate:

Import-HPEiLOCertificate -Certificate $cert -Connection $connection

IP            Hostname                     Status StatusInfo
--            --------                     ------ ----------
10.10.1.100   esxi-01-ilo.corp.contoso.com WARNING HPE.iLO.Response.StatusInfo

It takes a minute or two for the certificate to apply. You can then check the certificate on the iLO:

Get-HPEiLOSSLCertificateInfo -Connection $connection

Issuer         : C = UK, DC = com, DC = contoso, DC = corp, O = Contoso, CN = Contoso Enterprise CA
SerialNumber   : 33:22:e4:01:00:02:00:00:e5:21
Subject        : C = UK, ST = Lanarkshire, L = Glasgow, O = Contoso, OU = IT, CN = esxi-01-ilo.corp.contoso.com
ValidNotAfter  : 10/08/2020 09:56:46
ValidNotBefore : 11/08/2018 09:56:46
IP             : 10.10.1.100
Hostname       : esxi-01-ilo.corp.contoso.com
Status         : OK
StatusInfo     :

You can see that the certificate signed by the CA is now presented by the iLO:

iLO SSL

Wrap Up

The process is very straightforward and can be completed entirely at a command line without having to login to the web interface. One thing I should advise. I tried using an wildcard certificate issued from the CA and applying it to the iLO but it didn’t like that. Seems you have to generate a CSR to get a working certificate. If I am wrong please let me know.