iLO certificates

HPE OneView treats the default certificate for HPE-Integrated Lights-Out (iLO) as a self-signed certificate. This certificate is added to the HPE OneView trust store and treated as a leaf certificate. The iLO certificate is signed by a certificate authority internal to Hewlett Packard Enterprise, namely, 'iLO Default Issuer (Do not trust)'. This warns the users to the danger of trusting self-signed certificates and encourages them to move to use PKI-based certificates.

The iLO has limited space for storing certificates. When using CA-signed certificates, the iLO does not present HPE OneView with a chain of intermediate certificates during the TLS handshake. To establish proper HTTPS connections, the intermediates must be present in the HPE OneView trust store, along with the CA root.

iLO 4 has a Customer Advisory for an issue where the default self-signed certificate is expired by default. In this case, the Valid from date of the certificate is later than the Valid to date. The advisory describes the steps required to upgrade the iLO firmware and fix the certificate.

The Security > Certificates screen allows the administrator to control whether to skip expiration check for self-signed certificates. This option allows the administrator to manage iLOs securely while working to address the expiration issues.

The issue can occur on iLO versions mentioned in this advisory.