Powershell Script: Sign iLO Certificates with a MS CA

I’ve been talking a lot about HP iLO devices and SSL recently, and hopefully this will bring some closure to this.

One of the early requests I had when I started working where I do was to “get rid of the certificate warnings” when signing into iLOs. Up until a few months back this was not possible due to iLO’s only understanding SSL Certificates for short hosts as opposed to FQDNs.

When the firmware was updated to support FQDN SSL Certificates, I was now able to start looking into getting all the certificates signed by our internal Microsoft Certificate Services CA. However there was no way I was going to manually configure 200+ interfaces.

So I wrote a script, and it is now available for all.

The Script can be downloaded here.

Please view the readme file – it explains a little bit more some of the knowledge of the script.

Of note, please be aware that the script will attempt to rename your iLO system name and domain based on the information you supply so that a matching certificate can be created. This script will also fail if your iLO device’s network configuration is obtained via DHCP.

As always, the script is supplied as-is with no liability accepted, but if it’s broken, let me know and I will look into it.

Advertisements

30 thoughts on “Powershell Script: Sign iLO Certificates with a MS CA

  1. Nick

    Great article. However, it just highlights how unorganised HP really is in their technology interactions.

    Right at the end of the article is a crucial piece of information. We use EBIPA (Enclosure Bay IP Addressing for our c-Class BladeSystems, and part of this technology is the fact that the iLOs are configured as DHCP.

    This is so that they can receive the IP details given to it via the Onboard Administrator. EBIPA allows all iLO IP Addressing to be statically assigned and promotes structured addressing for iLOs.

    So, it seems that this script will not work for anyone who is using EBIPA. HP is not known for ensuring their technologies work well together and in an integrated fashion.

    1. Ben Post author

      Hi Nick,

      I couldn’t agree more with what you are saying. There is so much that is so very wrong with the way HP deals with the whole idea of automating configuration at an enterprise level.

      EPIBA is an interesting beast. One of the great issues is where we have moved blades with “static” IP Settings in EPIBA to a different enclosure which has a different subnet visible. The blade will not pick up a new IP address based on Bay EPIBA settings and instead “disappear” because the iLO interface is unreachable. an iLO factory reset is required to resolve this.

      Admittedly we don’t make a habit of moving blades between enclosures, so it could be just one of those “you’re doing it wrong” things.

      Thanks for reading the blog – I appreciate hearing back from people 🙂

      1. Matt Burgess

        Hi Ben,
        Great work on the script. FYI it is possible to reset the ILO back to DHCP without physical access to the enclosure or doing a factory reset. This can be done via the OA CLI.

        As for the script failing when using DHCP/EBIPA, I would suggest this could be worked around by staging the process (generate CSR, then running the ps script, then apply) or by using the ILO online config tool rather (which is OS based) rather than direct to the ILO and has the added benefit of not requiring login. It’s also possible that the script fails for ILOs which have received their domain name from EBIPA. You could easily script around that have the IP/subnet and gateway information only coming down.

        Another method would also be to create an HPSIM custom tool for each task: 1. generate CSR, 2. request cert, 3. apply cert – so that this could be applied to any new servers ILOs which come along. I have done this in the past and it works well. It’s quite easy if HPSIM setup properly.

        I haven’t tried automating SMH certificates yet though – that might be something to look into.

        Not knocking your method – you’ve done a great job with your script and will save some people a lot of time, but there are workable alternatives worth trying, particularly for people who use EBIPA.

        Cheers

        Matt Burgess

      2. Ben Post author

        Hi Matt
        Thanks for the comments. Yep, aware you can reset the iLO back to DHCP through the OA – have had to do it for those stuck machines 🙂

        I suspect the recent firmware released by HP for the iLO will be a bit of a game changer allowing the ability to create custom CSRs. Unfortunately I have been unable to investigate as I have more than enough work on my cards right now 🙂 It is on my list of things to look into however.

        I’d love to be able to do it all with HPSIM. Unfortunately I’ve inherited an environment where right now it’s not possible. In the future, I may be allowed a bit more freedom in that area. The script itself was designed to run and walk away.

        Thanks again for the comments – its always constructive!

  2. Vojtech Fiurasek

    Hi,

    the script is no longer available for download, would you mind reuploading? Would help me a lot! Thank you in advance.

    Vojtech

  3. Matt

    Hi,
    I have been attempting to get this working for a few hours now but everytime I get an error in powershell stating that it cannot find currentcert.cer. i looked further into it and it seems as though the currentcrt.txt is actually being created which causes the rest of the script to fail.

    I am running it against ilo2 with firmware 2.07. Also meet all the caveats/pre reqs for it to work.

    1. Ben Post author

      HI Matt!

      Oops! This is a little big in the script – if you create the file currentcert.cer the probelm will go away. currentcert.cer is a ‘work file’ that is generated when the certificate is created – and to make sure the wrong certificate isnt uploaded if the signing fails, The file is deleted early in the script. If the file doesnt exist, then it errors.

      I’ll fix this in a script revision that I’ll try and release this week 🙂

      Answer from the other post, modifying $strApplyiLOVersion variable in the script per comments should allow this script to work with iLO 3.

      Finally, I haven’t gotten to iLO 2 fw 2.07 as yet – most of our equipment runs iLO 2.05 – I can’t see anything in the release notes about new custom attributes – are you able to explain? 🙂

      Cheers
      Ben

  4. Joe

    Hello, I came across this script and it will be a great help. Right now it seems I am having trouble where the script will not download/update the currentcsr.txt file. If I get a CSR from the iLO card manually and then run the script it will create the certifcate and install it. Then when I run the script agian agianst another iLO card it tries to use the same CSR and doesnt update the file.

    1. Ben Post author

      Hi Joe,
      How are you getting the CSR Manually? through the web interface, or using the XML output of cpqlocfg? Looking at the code, the reason why currentcsr.txt would not be generated would be because the output result from cpqloconfig didn’t contain the expected CERTIFICATE_SIGNING_REQUEST Tag.
      Can you also advise was version of iLO and the firmware revision?

  5. Joe

    I would run it manually by getting it from the command line, cpqlocfg.exe -s “iloname” – u user – p password Cert_Request.xml.

    I would take the CSR from the output and paste it into the text file minus all the XML formatting so it would be just like a plain CSR.

    I read the iLO3 may present the CSR differently? I have run this on several 2 and 3 iLO cards. iLO 2 firmware 2.05, 2.06, and iLO 3 1.26. Possibly some others as well, I was picking random cards to see if some worked based on version.

    I post a example of what I get back.

    Thanks,
    Joe

  6. Joe

    Here is a example of what I get back manully ..CSR data removed.

    IP Address is: ilo name

    —–BEGIN CERTIFICATE REQUEST—–
    csr data here
    —–END CERTIFICATE REQUEST—–

    cpqlocfg.exe: Script succeeded on “ilohostname:443”

  7. Joe

    I got the script working! I am sucha code n00b, it took me a while to see how you were getting from A to B. The tweaks I made seem to make it play nice with my cards & firmware levels.

    Under the applysettings function I changed the command to include, -u $striLOUsername -p $striLOPassword. I think the CSR wasnt being created due to a login issue to the card.

    I saw simialr issues when applying settings to the cards under the setnetworkhost and certify functions. I did a simlair edit to send out the entire CPQLOCFG.EXE command I just had to make sure a few variables were defined again.

    Thanks again for this code, this is a major help for my physical servers.

    Joe

    1. Ben Post author

      Hi Joe,
      Thats great to hear! I find what you;re saying about the username and password interesting, as I had a lot of issues with the scope of variables in this script when I first wrote it – it was behaving inconsistently in PS on different machines.

      As I emailed you, I have access to an iLO3 1.26 device for a bit of testing now, so I am re-writing the code using my PS library to see if I can make it work better.

      Glad the code is helping you out 🙂

  8. Sven

    Hey Ben,
    I’ve been reading your blog for while now.
    i think ýou played around with the whole SSL and iLO story for a while now. So i hope you can help me:
    I need to create a CSR with a Subject different from the Default Subject of the iLO for some iLO2 and iLO3.
    At iLO 2 I can modify the CSR Settings via RIBCL with:

    Now I was wondering about how to handle the iLO3s. From our iLO3s I got the answer: “Feature isnt supported.”
    After goling around for 2 days now I couldn’t find a pendant to achieve this.
    I don’t believe, HP wants me to do this manually.
    Do you have any idea?

    Sorry for my bad english.
    Greetings from Germany.

    1. Ben Post author

      Hi Sven!

      Wow, Germany, cool 🙂

      I would like to think that my complaints in previous year were a direct result of the inclusion of custom CSR configuration in iLO 2.

      Unfortunately there would appear to be no iLO3 Support for custom CSRs (at least from a RIBCL POV) 😦 This comes from the sample scripts from HP.

      I don’t have any servers with non-production iLO3, therefore I cannot check the SSL Certificate page to see what settings are available (because it all gets locked out when you import a signed cert).

      Sorry I can’t be of more help,

  9. Monte

    Hi Ben,
    Nice library! I am new in iLO and need to customize the Organization name in the certificate request. Do you know how this can be done?
    Thank you,
    Monte

    1. Ben Post author

      Hi Monte,
      This can only be done on iLO 2 devices using firmware 2.06 or later from my last read. From there, if you download the HP sample scripts (see my useful links page) you will find a set_CSR_Custom.xml file you can edit and use.

      Hope this helps!

      1. Sven

        Hi,
        As you might have read, I was also complaining about that at the beginning of that year. After I realized, that There is no way to script this, I opened I case for that at HP. These case was open for several weeks and was closed then with the “solution”: that this is not possible in the current Firmware with iLO3 and may be implemented in a later firmware..

        At October the 26th, the new Firmware (1.50) for iLO3 was released. And also the new Windows Scripting Samples (4.1).
        And I was really happy to see, that they implemented that Function now for iLO3 FW 1.50 and iLO4 FW 1.10.
        The Certificate_Signing_Request Tag has now several parameters to configure the subject.
        So, it is a different syntax then for iLo2 but it is the same for iLO3 and 4. So it is quite scriptable 🙂

        Hope this helped.
        Greetings From Germany, again 🙂

      2. Ben Post author

        Thanks for the reminder Sven! I haven’t really had my space in configuring iLOs for a while now, so it’s easy for me to forget things 🙂

  10. Paul Phillips

    Ben,
    I’m looking to do this for Dell iDRAC cards (like the ILO). Would like to examine your script to munge it for the iDRAC but it does not download. A little help?

    Thanks
    Xanderphillips

    1. Ben Post author

      Hi Paul,
      I just looked then and it appeared to download ok? 🙂 If writing this code for the iDRAC is anything like for HP iLOs, it’s going to be a world of pain…errr….fun 🙂

      Good luck 🙂

  11. marek

    HI!

    i have problem with generating currentcsr.txt could you help?

    my output:

    [verbose] Deleting currentcert.cer
    Remove-Item : Cannot find path ‘C:\test\currentcert.cer’ because it does not exist.
    At C:\test\ilOSSLEnroll.ps1:110 char:2
    + Remove-Item currentcert.cer
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\test\currentcert.cer:String) [Remove-Item], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

    [verbose] Signing CSR for ilofap00002
    [verbose] Generating RIBCL for Certificate Install
    Get-Content : Cannot find path ‘C:\test\currentcert.cer’ because it does not exist.
    At C:\test\ilOSSLEnroll.ps1:114 char:17
    + $certificate = Get-Content currentcert.cer |out-string | foreach {$_ + “`r`n” }
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (C:\test\currentcert.cer:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand

    [verbose] Installing Certificate
    [verbose] ———————————————————————-

  12. Ben Post author

    Hi Marek,
    Script Bug – not checking to see if the file exists or not. 🙂 just create the file ‘C:\test\currentcert.cer’ and run the script.

  13. Scott Butler

    Any chance it might be possible to upload a CSR to iLO?

    Having 400, I would rather not manage an extra 400 certs. I would like to use a wildcard SAN cert of…

    CN=iLO.mydomain.com
    Subject Alternative Names…
    DNS=*.mydomain.com

    Ideally I would create one CSR and one Cert and then use that single cert on all the servers. The SAN wildcard would then match the name for all the iLO cards.

    But, it seems that a CSR is generated for each card and when I import the SAN cert it gives an error about the Private Key not matching on the CSR.

    Any help would be greatly appreciated,
    Scott

    1. Ben Post author

      Hi Scott,

      I wish 🙂 This was one of the first things I looked at when I started doing the SSL signing for the iLOs. As fair as I am aware, all the iLO versions will not accept wildcard certificates – as you say it will complain about the private key not matching.

      Sorry 🙂
      Ben

      1. Scott Butler

        I have had no issue with the wildcard as long as the Subject CN is a FQDN and then the Subject Alternative Names can be wildcards. That works fine on the first iLO, but when I export and import the cert to a new iLO it does not match the CSR on that card. Nor will it let you upload the CSR or cert with the Private Key included.

        They likely left it that way on purpose so that every card must have a matching named cert for security purposes.

        Nice stuff you have though, thanks
        Scott

Comments are closed.