Managing SSL certificates

When managing large amounts of iLO interfaces, the constant SSL warnings are a nuisance, so let’s make sure we have proper SSL certificates. This script will make that easy to do for you by taking care of all the CA work. All you need to do is add the CA’s certificate to your browsers trusted CA list.

First thing to do is configure the CA. Add something like the following to your ~/.ilo.conf:

[ca]
path = ~/.hpilo_ca
country = NL
state = Flevoland
locality = Lelystad
organization = Kaarsemaker.net
organizational_unit = Sysadmin

This path can point to an existing CA, the only requirement is that openssl.cnf for this CA lives inside that directory. The other config values are used when generating the certificates for the iLOs and are all optional, they default to what HP puts in there.

If the CA does not yet exist, you can create it as follows:

$ hpilo_ca init
Generating RSA private key, 2048 bit long modulus
.+++
..................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Flevoland]:
Locality Name (eg, city) [Lelystad]:
Organization Name (eg, company) [Kaarsemaker.net]:
Common Name (eg, your name or your servers hostname) [hpilo_ca]:

This generates the needed directories, an openssl config and a self-signed certificate for your CA.

When your CA is set up, you can start signing certificates. hpilo_ca will check several things:

  • Firmware is upgraded if necessary

  • The hostname is set to the name you use to connect to it, if needed

  • iLO2 is configured to use FQDN’s for certificate signing requests

It will then download the certificate signing request, sign it and upload the signed certificate. Here’s an example of it at work:

$ ./hpilo_ca sign example-server.int.kaarsemaker.net
(1/5) Checking certificate config of example-server.int.kaarsemaker.net
(2/5) Retrieving certificate signing request
(3/5) Signing certificate
Using configuration from /home/dennis/.hpilo_ca/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4 (0x4)
        Validity
            Not Before: Oct  5 09:48:26 2015 GMT
            Not After : Oct  3 09:48:26 2020 GMT
        Subject:
            countryName               = NL
            stateOrProvinceName       = Flevoland
            organizationName          = Kaarsemaker.net
            organizationalUnitName    = Sysadmin
            commonName                = example-server.int.kaarsemaker.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                59:E5:B8:37:C5:30:8D:38:47:29:3E:C1:0E:B3:0A:97:95:48:3E:D1
            X509v3 Authority Key Identifier:
                keyid:89:17:37:C5:E3:2D:EA:5C:83:0A:52:36:79:B0:EC:B7:A4:D5:D4:EF

            Netscape Comment:
                Certificate generated by iLO CA
            X509v3 Subject Alternative Name
                DNS:example-server.int.kaarsemaker.net, DNS:example-server, IP Address:10.4.2.13
Certificate is to be certified until Oct  3 09:48:26 2020 GMT (1825 days)

Write out database with 1 new entries
Data Base Updated
(4/5) Uploading certificate
(5/5) Resetting iLO