Replace HP iLO security certificates

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When you access the HP iLO webinterface, you will be redirected to a HTTPS website. This connection is usually secured by a self-signed SSL certificate. To replace this certificate with a certificate that was issued by your own CA, you have to complete several steps. I will guide you to the steps. I focused on HP ilO 2, but the steps are similar for iLO 3 or iLO 4.

The requirements

We need:

  • an iLO interface that is connected to the network and that has an ip address assigned
  • access to this iLO interface
  • a CA and access to it
  • a web browser

Create the Certificate Signing Request (CSR)

Before we can issue the certificate, we need to create a certificate signing request. This request is used by the CA to create the digital certificate. The CSR contains information to identifying the applicant. This is e.g. the distinguished name (DN), which is the FQDN for a webserver. To create a CSR we have to login into the iLO webinterface.

Create the CSR, issue and install the certificate

I use a Microsoft Windows Server 2012 R2 CA in my lab. This CA is integrated into my Active Directory and I use it to issue certificates for my lab infrastructure. Because it’s my lab, I don’t use a two-tier CA with an offline root CA. ;) But if you are interested in how to setup this, I recommend this two excellent articles written by Derek Seaman and posted on his blog: Windows Server 2012 R2 Two-Tier PKI CA Pt. 1 & Windows Server 2012 R2 Two-Tier PKI CA Pt. 2.

To create a CSR we have to login into iLO and access the “Administration” tab. Then select “Security” from the left menu.

ilo2_ssl_cert_1

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Usually the lower fields are greyed out, so you have to enable “Customized CSR”. Then you can fill the lower, now enabled fields, with values. Don’t forget to hit apply.

A little further down the page, you can create a certificate request.

ilo2_ssl_cert_2

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click the “Create Certificate Request” button. The certificate request will be generated and you will forwarded to the next page. Now you have to copy the request into a text file or you can past it directly into you CA. I use a W2K12 R2 CA which is running on another host. So I copied the text into a file and saved the file as ilo-esx1.csr.

ilo2_ssl_cert_3

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

No it’s time to issue the certificate. I copied the CSR to my CA into a temp directory. Open an elevated CMD, switch to the directory with the CSR and run the following command:

A windows will pop up where you have to chose the CA. Because I only have on CA, I can’t choose much… Select you CA and click “OK”. Copy the pem file to you client (or whereever you have the browser with the iLO open), click “Next Step” and then paste the content of the pem file into the text field.

ilo2_ssl_cert_4

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Click “Install Certificate”.

ilo2_ssl_cert_5

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you click “Restart” a counter will appear. After 60 seconds you will be redirected to the login page. Please note, that you have to access the login page via the FQDN. Otherwise you will get a certificate error.

Summary

Essentially there is nothing special. It’s much more easier as to do this for a VMware environment… It’s a simple three-step plan: 1. Create the CSR, 2. issue a certificate by using the CSR and 3. install the certificate. Don’t forget to import the CA certificate into you browser. Otherwise you will furthermore get this nasty security warning…

Replace HP iLO security certificates
5 (100%) 3 vote[s]
Follow me

Patrick Terlisten

vcloudnine.de is the personal blog of Patrick Terlisten. Patrick has a strong focus on virtualization & cloud solutions, but also storage, networking, and IT infrastructure in general. He is a fan of Lean Management and agile methods, and practices continuous improvement whereever it is possible.

Feel free to follow him on Twitter and/ or leave a comment.
Patrick Terlisten
Follow me

8 thoughts on “Replace HP iLO security certificates

  1. Constantinos

    Hello,
    I tried your suggestion and followed your instructions to create a request and get a certificate from an Domain controller.
    However when I try to import the certificate I get a message that

    Reply
  2. Constantinos

    Hello,
    I tried your suggestion and followed your instructions to create a request and get a certificate from an Domain controller.
    However when I try to import the certificate I get a message that the certificate cannot be imported because it is not in X.509 format.
    Any ideas on what is going wrong?
    Thank you

    Reply
  3. Constantinos

    it is an ILO3.
    I installed a VM with Windows 2016 and made it a domain controller and the installed the services for creating the certificate.
    Thank you

    Reply
    1. Patrick Terlisten Post author

      Make sure that it is Base64 codes and use the Web Server template. Nake sure that the Common Name and the SAN extension include the FQDN that was entered during the CSR creation.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept!