HPE C7000 Blade Chassis SSL Certificate Replacement

The SSL/TLS certificates on my HPE (Hewlett Packard Enterprise) C7000 blade chassis expired this week and therefore required replacing. I’m a strong believer in always replacing certificates with valid ones generated by a certificate authority (CA). In my mind there isn’t much excuse in a business to not have an internal CA for this sort of thing. In this post I’ll cover the steps required to replace a certificate on the C7000 Onboard Administrator (OA). The replacement can be completed in a number of ways – I’ll demonstrate via the OA web interface and also provide an example for the command line method.

 

Replace via Web Interface

As you can see in the screenshot below the certificate has expired resulting in the red warning bar –

Certificate Warning

Certificate Warning

 

Once logged onto the active OA navigate to the Certificate Administration menu which can be found as follows – Enclosure Information –> Active Onboard Administrator –> Certificate Administration.

Certificate Administration

 

The initial page will display information about the current certificate. Clicking on the ‘Certificate Request’ tab will present us with a page where we can either generate a new self-signed certificate or create a certificate request (CSR – certificate signing request) which is then submitted to a certificate authority (CA) for processing. In this instance we want to create a new CSR for submission.

Generate a certificate-signing request (CSR)

 

The next step is to populate the require fields along with any optional fields such as adding alternative names to the certificate, also known as Subject Alternative Names (SAN). If you connect to a system with an alias it’s important to add that to the certificate otherwise you will get a certificate error.

Generate a certificate-signing request (CSR) - Required Information

 

Once all the necessary information is populated click ‘Apply’ and the system will generate the CSR which takes the form of a base64 encoded request. The simplest thing is to copy all of this text into a text file for submission to the CA.

Certificate Signing Request base64 encoded

 

The next steps depend very much on what type of certificate authority you are using or submitting to so I will simply provide an example of submitting to a Microsoft CA running in my Active Directory domain. In this instance I’m leveraging the certreq command as below.

 

Open CSR request file

 

Having selected the file I am asked which CA I want to submit the request to – this is because (in my case) I am in an Active Directory forest with many other organisations, each of which runs a CA. Obviously select the appropriate CA and all being well it will ask you to save the returned certificate.

Select Certificate Authority

Save Certificate

 

Now that we have our certificate it’s time to upload to the blade chassis – open the file in a text editor and then paste into the ‘Certificate Upload’ window and click ‘Upload’. The OA will warn that this action replaces the existing certificate and will also reset the OA.

Open Certificate In Text Editor

Paste Certificate Data Into Upload Window

OA Warning

 

Having left the chassis for a minute or two for the OA to come back online I checked the connection and the webpage no longer presented an error.

Certificate Replaced - No Warnings or Errors Displayed

 

OK now that we have completed the process via the web interface let’s quickly look at a command line example.

Replace via SSH

SSH to the OA and use the generate certificate request command. Note that if you already have existing date in the fields you can just hit ‘Enter’ assuming you are happy with it. Otherwise you will need to populate each field accordingly, the system will then present you with that data to review before finally providing the CSR text to be copied from the SSH session and submitted to a CA.

 

 


This is just a quick example of the command line method, of course one could script this and replace the certificates on multiple blade chassis however in my case I only had the one chassis in need of updating so the rest can wait till nearer their expiry.

If you have any questions or suggestions please feel free to drop a comment below – hopefully this has been useful.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.