HPE C7000 Blade Chassis SSL Certificate Replacement

The SSL/TLS certificates on my HPE (Hewlett Packard Enterprise) C7000 blade chassis expired this week and therefore required replacing. I’m a strong believer in always replacing certificates with valid ones generated by a certificate authority (CA). In my mind there isn’t much excuse in a business to not have an internal CA for this sort of thing. In this post I’ll cover the steps required to replace a certificate on the C7000 Onboard Administrator (OA). The replacement can be completed in a number of ways – I’ll demonstrate via the OA web interface and also provide an example for the command line method.

 

Replace via Web Interface

As you can see in the screenshot below the certificate has expired resulting in the red warning bar –

Certificate Warning

Certificate Warning

 

Once logged onto the active OA navigate to the Certificate Administration menu which can be found as follows – Enclosure Information –> Active Onboard Administrator –> Certificate Administration.

Certificate Administration

 

The initial page will display information about the current certificate. Clicking on the ‘Certificate Request’ tab will present us with a page where we can either generate a new self-signed certificate or create a certificate request (CSR – certificate signing request) which is then submitted to a certificate authority (CA) for processing. In this instance we want to create a new CSR for submission.

Generate a certificate-signing request (CSR)

 

The next step is to populate the require fields along with any optional fields such as adding alternative names to the certificate, also known as Subject Alternative Names (SAN). If you connect to a system with an alias it’s important to add that to the certificate otherwise you will get a certificate error.

Generate a certificate-signing request (CSR) - Required Information

 

Once all the necessary information is populated click ‘Apply’ and the system will generate the CSR which takes the form of a base64 encoded request. The simplest thing is to copy all of this text into a text file for submission to the CA.

Certificate Signing Request base64 encoded

 

The next steps depend very much on what type of certificate authority you are using or submitting to so I will simply provide an example of submitting to a Microsoft CA running in my Active Directory domain. In this instance I’m leveraging the certreq command as below.

certreq -attrib "CertificateTemplate:BSA-WebServer"

 

Open CSR request file

 

Having selected the file I am asked which CA I want to submit the request to – this is because (in my case) I am in an Active Directory forest with many other organisations, each of which runs a CA. Obviously select the appropriate CA and all being well it will ask you to save the returned certificate.

Select Certificate Authority

Save Certificate

 

Now that we have our certificate it’s time to upload to the blade chassis – open the file in a text editor and then paste into the ‘Certificate Upload’ window and click ‘Upload’. The OA will warn that this action replaces the existing certificate and will also reset the OA.

Open Certificate In Text Editor

Paste Certificate Data Into Upload Window

OA Warning

 

Having left the chassis for a minute or two for the OA to come back online I checked the connection and the webpage no longer presented an error.

Certificate Replaced - No Warnings or Errors Displayed

 

OK now that we have completed the process via the web interface let’s quickly look at a command line example.

Replace via SSH

SSH to the OA and use the generate certificate request command. Note that if you already have existing date in the fields you can just hit ‘Enter’ assuming you are happy with it. Otherwise you will need to populate each field accordingly, the system will then present you with that data to review before finally providing the CSR text to be copied from the SSH session and submitted to a CA.

 

-----------------------------------------------------------------------------
WARNING: This is a private system.  Do not attempt to login unless you are an
authorized user.  Any authorized or unauthorized access and use may be moni-
tored and can result in criminal or civil prosecution under applicable law.
-----------------------------------------------------------------------------

Firmware Version: 4.50
Built: 07/24/2015 @ 04:06
OA Bay Number:  1 
OA Role:        Active



HP BladeSystem Onboard Administrator
(C) Copyright 2006-2015 Hewlett-Packard Development Company, L.P.


Type 'HELP' to display a list of valid commands.
Type 'HELP <command>' to display detailed information about a specific command.
Type 'HELP HELP' to display more detailed information about the help system.


BSA-SPC7K2-OA1> generate certificate request 
Enter certificate data for Onboard Administrator #1

Current values are displayed between the [].
To remove the current value enter a single '.' character.

OA Name (CN):  [BSA-SPC7K2.ByteSizedAlex.com] 
Alternative Name:  [DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150] 
Organization (O):  [ByteSizedAlex] 
City or Locality (L):  [Preston] 
State or Province (S):  [Lancashire] 
Country (C):  [GB] 
Organizational Unit (OU) (optional):  [IT Services] 
Contact Person (optional):  [] 
Contact Email Address (optional):  [[email protected]] 
Surname (optional):  [] 
Given Name (optional):  [] 
Initials (optional):  [] 
DN Qualifier (optional):  []

Challenge Password (optional):  
Confirm                      :  
Unstructured Name (optional):  []

Please review the certificate data:

OA Name (CN): BSA-SPC7K2.ByteSizedAlex.com
Alternative Name: DNS:BSA-SPC7K2,DNS:BSA-SPC7K2.ByteSizedAlex.com,DNS:10.135.36.150,IP:10.135.36.150
Organization (O): ByteSizedAlex
City or Locality (L):  Preston
State or Province (S):  Lancashire
Country (C):  GB
Organizational Unit (OU) (optional):  IT Services
Contact Person (optional):  
Contact Email Address (optional): [email protected]
Surname (optional):  
Given Name (optional):  
Initials (optional):  
DN Qualifier (optional):  
Unstructured Name (optional): 

Do you want to make any changes? (y/n) n

Certificate signing request for Onboard Administrator #1
-----BEGIN CERTIFICATE REQUEST-----
MdcxKjAoBgNVBAMMIUxDVC1TUEM3IIDfTCCAmUCAQAwgSzIueGxhbmNhc2hpcmVj
YXJlLm5ocy51azELMAkGA1UEBhMCR0IxEzARBgNVBAgMCkxhbmNhc2hpcmUxEDAO
BgNVBAcMB1ByZXN0b24xLTArBgNVBAoMJExhbmNhc2hpcmUgQ2FyZSBOSFMgRm91
bmRhdGlvbiBUcnVzdDEUMBIGA1UECwwLSVQgU2VydmljZXMxMDAuBgkqhkiG9w0B
CQEWIUlULkhlbHBkZXNrQGQoCggEBAJ8eYBOuw91SUlBODHgsYuLlgB1Du9uAKye
fyWDosShgeLGtPYXJlLm5ocy51azCCASIwDQYJKoZIOLjDuCLWpIV2oTCHi/vPxh
hvcNAQEBBQADggEPADCCAnitOT6D5h5PQFNhtpCJ9xhiiepck6smNhc2hpcmVjbP
MVhM4YOWlP8un5nI7fnxrY+i2dqYLGkwmLA21xWBPb1t938g3XM4QRuJVvVykboJ
Xi7J/K5RfwEMoIDPz7EasEjppsEXdBcAK2CCIt5t8/z05soum2w723aEowmM+apg
MxQl7YFgCVR0VY/PaoANV+9xx18VtIMtLJtdZrgmjDpNmEyIYzhXqir1Rg96L/Xx
dA/xORSW6hs+Tqt5/T1gCV9d6/LWLQpV+pwNrv/I8YJTC9KXIIkCAwEAAaBgMF4G
wRIIKTENULVNQQzdLMoIhTENULVNQQzdLCSqGSIb3DQEJDjFRME8wTQYDVR0RBEY
aGlyZWNhcmUubmhzLnVrgg0xMC4xMzUuMzYuMTUwhwQKhySWMA0GMi54bGFuY2Fz
CSqGSIb3DQEBCwUAA4IBAQBST0QaPAESQBUCJODiLCsnYB4XU8wrYdQCZxo0MgyE
4WDZD2ImFMy6V5azKadzrGl8ZzJH0EN32C/1i9B8hLTUNTcGuLcjVL3ukXDIqcYY
QLyFL5tpK7XJDeJnICkxDHk0wyLMhxd0mOMGeXHxLGaEGnw6rI/Yj4aORRln7kzK
S86bWYx1FhycuShYRWRCOXmORWlsjrY3zyYpiJ3VfsQjPHuA0GjrOFFHhWWIQ+tW
89rydp9GR+vbQDJl64PJIM5N/6LyVJfsrwmrI33x4+n0pROCIAG4lDtIaOxIQ+Fr
PP0UdcTkhoKEsodYTcyQMe+vBCmF2DF7O0fKkXr1I4n/
-----END CERTIFICATE REQUEST-----



BSA-SPC7K2-OA1>

 


This is just a quick example of the command line method, of course one could script this and replace the certificates on multiple blade chassis however in my case I only had the one chassis in need of updating so the rest can wait till nearer their expiry.

If you have any questions or suggestions please feel free to drop a comment below – hopefully this has been useful.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.