Ssl certificate administration – HP Integrated Lights-Out User Manual
Page 47
Configuring iLO 2 47
SSL certificate administration
iLO 2 enables you to create a certificate request, import a certificate, and view certificate administration
information associated with a stored certificate. Certificate information is encoded in the certificate by the
CA and is extracted by iLO 2.
By default, iLO 2 creates a self-signed certificate for use in SSL connections. This certificate enables iLO 2
to work without any additional configuration steps. The security features of the iLO 2 can be enhanced by
importing a trusted certificate. For more information on certificates and certificate services, see the
sections, "Introduction to certificate services (on page
)" and "Installing certificate services (on page
)."
To access certificate information, click Administration>Security>SSL Certificate. The SSL Certificate tab
displays the following information:
•
The Issued To field lists the entity to which the certificate was issued.
•
The Issued By field lists the CA that issued the certificate.
•
The Valid From field lists the first date that the certificate is valid.
•
The Valid Until field lists the date that the certificate will expire.
•
The Serial Number field lists the serial number assigned to the certificate by the CA.
The following options are available on the SSL Certificate tab:
•
Create Certificate Request—Use this button to create a certificate request. When you click this
button, a CR is created (in PKCS #10 format) that can be sent to a CA. This certificate request is
Base64-encoded. A CA processes this request and returns a response (X.509 certificate) that can be
imported into iLO 2.
The CR contains a public/private key pair that validates communications between the client browser
and iLO 2. The generated CR is held in memory until a new CR is generated, iLO 2 is reset, or a
certificate is imported by the generation process. You can generate the CR and copy it to the client
clipboard, leave the iLO 2 website to retrieve the certificate, and then return to import the certificate.
When submitting the request to the CA, be sure to perform the following tasks:
a.
Use the iLO 2 name as listed on the System Status screen as the URL for the server.
b.
Request that the certificate is generated in the RAW format.
c.
Include the Begin and End certificate lines.
Every time you click Create Certificate Request, a new certificate request is generated, even though
the iLO 2 name is the same.
•
Import Certificate—Use this button when you are returning to the Certificate Administration page
with a certificate to import. Click Import Certificate to go directly to the Certificate Import screen
without generating a new CR. A certificate only works with the keys generated for the original CR
from which the certificate was generated. If iLO 2 has been reset, or another CR was generated
since the original CR was submitted to a CA, then a new CR must be generated and submitted to the
CA.
You can create a CR or import an existing certificate using RIBCL XML commands. These commands
enable you to script and automate certificate deployment on iLO 2 servers instead of manually deploying
certificates through the browser interface. For more information, see HP Integrated Lights-Out
Management Processor Scripting and Command Line Resource Guide.