Comware

 View Only
  • 1.  SSL certificate config on Comware v7

    Posted Oct 07, 2016 08:59 AM

    Looking here it shold be easy:

    http://hpnetworkers.blogspot.co.uk/2012/02/hp-series-h3c-comware-https-howto-with.html

    I do NOT want to use the default generated certificate for https!

    So I follow the instructions & eventually request vertificate, but get error:

    [HPE5900-SR1]pki request-certificate domain **********
    Certificate request failed: No key pair specified for the PKI domain.

    Anybody has instructions that will work?

    Seb


    #certificate


  • 2.  RE: SSL certificate config on Comware v7

    Posted Oct 20, 2016 11:13 AM

    I have a case opened with

    GSD_GSC_Case_Mgmt_Prod <gsd_csc_case_mngmt@hpe.com>

    for the second week, with no solution.

    Managed to get certificate issued by local MS ADCA, but that was Network Device Enrollment Service (NDES) certificate which DOES NOT work for HTTPS.

    What was required:

    public-key rsa general name xxx length 2048

    pki request-certificate domain "domain-name" password "password"

    (where password is generated by ADCA http://localhost/certsrv/mscep_admin" href="http://localhost/certsrv/mscep_admin" target="_blank" rel="nofollow noopener noreferrer">http://localhost/certsrv/mscep_admin as per https://technet.microsoft.com/en-us/library/cc755273%28v=ws.11%29.aspx )

    Still could not get proper answer how to request proper SSL web server certificate OR how to import wildcard certificate issued by external CA

    Horrendous experience! Horrible support (in UK Level 2) that has NO TEST environment!

    Shame on you HPE!



  • 3.  RE: SSL certificate config on Comware v7

    Posted Nov 04, 2016 07:53 AM

    Eventually had BUG confirmed for BOTH issues by HPE support.

    So maybe in next release...



  • 4.  RE: SSL certificate config on Comware v7

    Posted Jan 27, 2017 10:16 AM

    OK, let me now recap what needs to be done for this to work.

    A plain blank never used SCEP/NDES server will do just fine.

     But one needs to assume that customer might use such server for something else.

     Which was the case in my setup. I use SCEP server to request certificate by Apple iDevices (iPad/iPhone) for wireless network access, using custome template which does NOT have Server Authentication configured

     Hence the settings on my SCEP server were for the very purpose & created certificate did not work

     To make sure that certificate obtained from SCEP server is good for SSL  one needs to configure correct template in

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate

     Preferably one that has Server Authentication configured

     Good read is here:

    https://blog.warcop.com/2013/06/27/ndes-server-configuration-for-scep-cisco-asa-scep-proxy/

     

    One that was configured in that way, then simple set of commands did get certificate

     

    pki domain domainA1

    ca identifier NameOfCA

    certificate request url http://EnterpriseCA.domainA1.local/certsrv/mscep/mscep.dll

    certificate request from ra

    certificate request entity hpe5900-sr1

    crl url http://EnterpriseCA.domainA1.local/CertEnroll/whatever_is_configured.crl

    #

    pki entity hpe5900

    common-name HPE5900.domainA1.local

    country GB

    #

    ssl server-policy domainA1-ssl

    pki-domain domainA1

     

    undo ip https enable

     [HPE5900-pki-domain-domainA1]public-key rsa general name BG length 2048

    quit

     pki retrieve-certificate domain doaminA1 ca

     pki request-certificate domain doaminA1 password 2A792FF083164D59 (password as obtained from CA http://ndes_server/certsrv/mscep_admin)

     ip https ssl-server-policy domainA1-ssl

     ip https enable