The SSL/TLS certificates on my HPE (Hewlett Packard Enterprise) C7000 blade chassis expired this week and therefore required replacing. I’m a strong believer in always replacing certificates with valid ones generated by a certificate authority (CA). In my mind there isn’t much excuse in a business to not have an internal CA for this sort of thing. In this post I’ll cover the steps required to replace a certificate on the C7000 Onboard Administrator (OA). The replacement can be completed in a number of ways – I’ll demonstrate via the OA web interface and also provide an example for the command line method.
Replace via Web Interface
As you can see in the screenshot below the certificate has expired resulting in the red warning bar –
Once logged onto the active OA navigate to the Certificate Administration menu which can be found as follows – Enclosure Information –> Active Onboard Administrator –> Certificate Administration.
The initial page will display information about the current certificate. Clicking on the ‘Certificate Request’ tab will present us with a page where we can either generate a new self-signed certificate or create a certificate request (CSR – certificate signing request) which is then submitted to a certificate authority (CA) for processing. In this instance we want to create a new CSR for submission.
The next step is to populate the require fields along with any optional fields such as adding alternative names to the certificate, also known as Subject Alternative Names (SAN). If you connect to a system with an alias it’s important to add that to the certificate otherwise you will get a certificate error.
Once all the necessary information is populated click ‘Apply’ and the system will generate the CSR which takes the form of a base64 encoded request. The simplest thing is to copy all of this text into a text file for submission to the CA.
The next steps depend very much on what type of certificate authority you are using or submitting to so I will simply provide an example of submitting to a Microsoft CA running in my Active Directory domain. In this instance I’m leveraging the certreq command as below.
certreq -attrib "CertificateTemplate:BSA-WebServer"
Having selected the file I am asked which CA I want to submit the request to – this is because (in my case) I am in an Active Directory forest with many other organisations, each of which runs a CA. Obviously select the appropriate CA and all being well it will ask you to save the returned certificate.
Now that we have our certificate it’s time to upload to the blade chassis – open the file in a text editor and then paste into the ‘Certificate Upload’ window and click ‘Upload’. The OA will warn that this action replaces the existing certificate and will also reset the OA.
Having left the chassis for a minute or two for the OA to come back online I checked the connection and the webpage no longer presented an error.
OK now that we have completed the process via the web interface let’s quickly look at a command line example.
Replace via SSH
SSH to the OA and use the generate certificate request command. Note that if you already have existing date in the fields you can just hit ‘Enter’ assuming you are happy with it. Otherwise you will need to populate each field accordingly, the system will then present you with that data to review before finally providing the CSR text to be copied from the SSH session and submitted to a CA.
WARNING: This is a private system. Do not attempt to login unless you are an
authorized user. Any authorized or unauthorized access and use may be moni-
tored and can result in criminal or civil prosecution under applicable law.
Firmware Version: 4.50
Built: 07/24/2015 @ 04:06
OA Bay Number: 1
OA Role: Active
HP BladeSystem Onboard Administrator
(C) Copyright 2006-2015 Hewlett-Packard Development Company, L.P.
Type 'HELP' to display a list of valid commands.
Type 'HELP <command>' to display detailed information about a specific command.
Type 'HELP HELP' to display more detailed information about the help system.
BSA-SPC7K2-OA1> generate certificate request
Enter certificate data for Onboard Administrator #1
Current values are displayed between the .
To remove the current value enter a single '.' character.
OA Name (CN): [BSA-SPC7K2.ByteSizedAlex.com]
Alternative Name: [DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150]
Organization (O): [ByteSizedAlex]
City or Locality (L): [Preston]
State or Province (S): [Lancashire]
Country (C): [GB]
Organizational Unit (OU) (optional): [IT Services]
Contact Person (optional): 
Contact Email Address (optional): [IT.Helpdesk@ByteSizedAlex.com]
Surname (optional): 
Given Name (optional): 
Initials (optional): 
DN Qualifier (optional): 
Challenge Password (optional):
Unstructured Name (optional): 
Please review the certificate data:
OA Name (CN): BSA-SPC7K2.ByteSizedAlex.com
Alternative Name: DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150
Organization (O): ByteSizedAlex
City or Locality (L): Preston
State or Province (S): Lancashire
Country (C): GB
Organizational Unit (OU) (optional): IT Services
Contact Person (optional):
Contact Email Address (optional): IT.Helpdesk@ByteSizedAlex.com
Given Name (optional):
DN Qualifier (optional):
Unstructured Name (optional):
Do you want to make any changes? (y/n) n
Certificate signing request for Onboard Administrator #1
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
This is just a quick example of the command line method, of course one could script this and replace the certificates on multiple blade chassis however in my case I only had the one chassis in need of updating so the rest can wait till nearer their expiry.
If you have any questions or suggestions please feel free to drop a comment below – hopefully this has been useful.