Certificates in HPE OneView

The Manage Certificates option under the Settings > Security screen displays the following types of certificates:

  • Trusted certificates: All certificates shown on the Manage Certificates screen are trusted by HPE OneView. All certificates trusted by HPE OneView can communicate securely with devices and servers that are associated with a certificate trusted by HPE OneView or a certificate signed by a CA (root or intermediate CA) certificate trusted by HPE OneView.

    The certificates shown as trusted comprise:

    • Root CA certificates: These certificates are either prebundled with HPE OneView or imported by users. You must upload a CRL for root CA certificates to do revocation checking on certificates signed by the root CA.

    • Intermediate CA certificates: These certificates are either pre-bundled with HPE OneView or imported by users. You must upload a CRL for Intermediate CA certificates to do revocation checking on certificates signed by an Intermediate CA.

    • Leaf-level certificates

      • Self-signed certificates: These are device certificates that get added to the appliance trust store during automated blind trust. These certificates can also be directly imported by the user or added during a device configuration. Unlike CA-signed certificates, self-signed certificates are not subject to host name verification or revocation checks.

      • CA-signed certificates: CA-signed leaf certificates of managed devices or external servers are normally not stored in the appliance trust store. However, they may get stored during automated blind trust or when a user uses the force trust option to forcefully add the leaf certificate to the trust store. Such CA-signed leaf certificates in the appliance trust store are treated as pinned certificates, if the CA that signed these certificates is not present in the appliance. Unlike self-signed certificates, these pinned CA-signed certificates are not subject to host name verification or revocation checks. However, when the root or the intermediate certificate that signed the pinned CA-signed certificate is imported to the appliance, this pinned certificate is treated as a true CA-signed leaf certificate and is subjected to hostname verification and revocation checks.

    These certificates can be pre-bundled with HPE OneView, imported as part of the automatic initial trust done by HPE OneView (system) when a hardware gets discovered and managed by HPE OneView or imported by users.

  • Pre-bundled Certificates: HPE OneView pre-bundles the following types of certificates:

    • Internal root CA - Infrastructure Management Certificate Authority: The root CA is bundled with HPE OneView 4.0 and later versions, out-of-the-box. It is required for the internal functioning of the RabbitMQ message bus server within HPE OneView. This root CA is internally used to sign the RabbitMQ server and RabbitMQ client certificate. The internal root CA and the RabbitMQ client certificate must be imported to any external client using AMQP to communicate with HPE OneView. The internal root CA or the RabbitMQ certificates are not displayed in the Manage Certificates screen, but are available using REST APIs.

      NOTE:

      Starting with HPE OneView 4.0, users can use external CA-signed certificates for RabbitMQ server certificate and RabbitMQ client certificate.

    • CA certificates required by Remote Support in HPE OneView: When you use the remote support capability within HPE OneView, communication is established from HPE OneView to one or more servers hosted by Hewlett Packard Enterprise (https://api.support.hpe.com). The servers hosted by Hewlett Packard Enterprise are associated with server certificates that are signed by DigiCert Intermediate CA and DigiCert Root CA. HPE OneView pre-bundles the following root and intermediate CA certificates that are required for the secure and trusted communication with the remote support server:
      • DigiCert Root CA - DigiCert Global Root G2
      • DigiCert Intermediate CA - DigiCert Global CA G2

  • x509 v1 certificates: HPE OneView supports older x509 v1 certificates as well. These v1 certificates do not have enough information in them to determine whether it is a CA certificate or not. When such a V1 certificate is imported into the appliance, it is treated as a CA certificate.

    However, if any v1 certificate exists in the appliance prior to an appliance upgrade, that v1 certificate is considered a leaf certificate. If such a pre-upgrade v1 certificate is meant to be a root certificate, you must delete and re-add it to consider it as a root certificate.

    Hewlett Packard Enterprise recommends you replace any such x509 v1 leaf-level certificates with x509 v3 leaf-level certificates.

    See Certificate validation criteria for additional details.