Created
January 27, 2016 12:26
-
-
Save vMarkusK/002a1ee6a8ca7ba493de to your computer and use it in GitHub Desktop.
HP iLO bulk SSL Generation & Installation via PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################# | |
| # iLO Bulk SSL Generation & Installation Script | |
| # Written by Ben Short | |
| # Modified by Markus Kraus | |
| # Version 3.1, September 2015 | |
| # | |
| # Released under Creative Commons BY,SA | |
| # http://creativecommons.org.au/learn/licences/ | |
| # | |
| # Script enumerates iLO devices from text file and generates | |
| # CSR to be signed by a Microsoft CA Server. Resulting Certificate | |
| # Installed on iLO | |
| # | |
| # Script requirements | |
| # * HP Powershell cmdlets | |
| # http://www8.hp.com/au/en/products/server-software/product-detail.html?oid=5440657 | |
| # | |
| # Disclaimer: Script Author accepts no responsibility or liability for | |
| # Damages script may cause. Script offered as is. | |
| # | |
| # Changelog: | |
| # 2015-09-01 ver 3.1 (Markus Kraus) | |
| # New - Hostname handling if the FQDN is wrong | |
| # 2014-11-21 ver 3.0 | |
| # New - Rewritten to use HP Powershell Library | |
| # 2012-02-02 Ver 2.0.0 | |
| # New - Rewritten to support iLO PS Library | |
| # Mod - Fixed problems with iLO3 signing from version 1.0 | |
| # | |
| # | |
| ############################################################################## | |
| # Location of iLO Text File | |
| $strTextFileLoc = "ilolist.txt" | |
| # Exclusion List. Sometimes used to deal with | |
| # iLO Intefaces that cause script to hang. | |
| $exclusions = "BADINTERFACE.mydomain.com", "broken.mydomain.com" | |
| #iLO Domain Name | |
| $striLODomain = "yourDomain.loc" | |
| #iLO Administrative Account Details | |
| $striLOUsername = "yourUser" | |
| $striLOPassword = "yourPassword" | |
| # ADCS Server Name | |
| $certificateserver = "yourPKI-yourDomain.loc\yourCA" | |
| $certificatetemplate = "yourTemplate" | |
| #Skipped Hosts | |
| $skippedreport =@() | |
| # Location of Log Folders | |
| $cpqlogfilefolder = "logs" | |
| # Path to Script Location & Support Files | |
| $scriptpath = "C:\Certs\iLOSSL_v2" | |
| # Verbose Output | |
| $verbose = $true | |
| #====================================================================================== | |
| cls | |
| $ilOInterfaces = Get-Content $strTextFileLoc | |
| function Ping-iLO ([string]$iLOHostName) { | |
| $ping = new-object System.Net.NetworkInformation.Ping | |
| try { | |
| $Reply = $ping.send($iLOhostname,500) | |
| } | |
| catch { | |
| return $false | |
| } | |
| if ($Reply.Status -eq "Success") { | |
| return $true | |
| } | |
| } | |
| foreach ($interface in $iLOInterfaces) { | |
| if (Ping-ilo($interface) -and ($exclusions -notcontains $interface)) { | |
| del $scriptpath\current* | |
| $shorthost = $interface.Split(".") | |
| $shorthost = $shorthost[0] | |
| write-output "[logging] Now Running: `t$interface" | |
| $iLOInfo = Get-HPiLOFirmwareVersion -Server $interface -Username $striLOUsername -Password $striLOPassword | |
| if ($verbose -and ($iLOInfo.STATUS_MESSAGE -eq "OK")) { | |
| write-output "[verbose] iLO Processor: `t$($iLOinfo.MANAGEMENT_PROCESSOR)" | |
| write-output "[verbose] iLO Firmware: `t$($iLOinfo.FIRMWARE_VERSION)" | |
| write-output "[verbose] iLO Firmware Date: `t$($iLOinfo.FIRMWARE_DATE)" | |
| } | |
| else { | |
| write-output "[logging] iLO Processor: `tUnknown - skipping" | |
| Write-Output "------------------------------------------------------`n" | |
| $skippedreport += "$interface - Unknown iLO Version" | |
| continue | |
| } | |
| write-output "[logging] iLO Detected: `t$($iLOinfo.MANAGEMENT_PROCESSOR)" | |
| $interfaceNetworking = Get-HPiLONetworkSetting -Server $interface -Username $striLOUsername -Password $striLOPassword | |
| $nethostname = $interfaceNetworking.DNS_NAME + "." + $interfaceNetworking.DOMAIN_NAME | |
| if ($verbose) { | |
| write-output "[verbose] iLO Configured Hostname: $nethostname" | |
| } | |
| if ($interface -eq $nethostname) { | |
| write-output "[logging] iLO Hostname Matches DNS Record! - Getting CSR..." | |
| } | |
| else { | |
| write-output "[logging] iLO Hostname Does Not Match DNS Record! - Updating Value" | |
| Set-HPiLONetworkSetting -Server $interface -Username $striLOUsername -Password $striLOPassword -DNSname $shorthost | |
| Write-Output "[logging] Resetting iLO after DNS Name Update. Script sleeping 120 seconds.." | |
| Start-Sleep -Seconds 120 | |
| $interfaceNetworking = Get-HPiLONetworkSetting -Server $interface -Username $striLOUsername -Password $striLOPassword | |
| $nethostname = $interfaceNetworking.DNS_NAME + "." + $interfaceNetworking.DOMAIN_NAME | |
| write-output "[verbose] NEW iLO Configured Hostname: $nethostname" | |
| Write-Output "------------------------------------------------------`n" | |
| } | |
| $iLOCSR = Get-HPiLOCertificateSigningRequest -Server $interface -Username $striLOUsername -Password $striLOPassword | |
| $gotCSR=$false | |
| while ($gotCSR -eq $false) { | |
| if ($iLOCSR.STATUS_TYPE -eq "OK") { | |
| if ($iLOCSR.CERTIFICATE_SIGNING_REQUEST -ne "") { | |
| $iLOCSR.CERTIFICATE_SIGNING_REQUEST | Out-File $scriptpath\currentcsr.txt -Encoding ascii -Force | |
| Write-Output "[logging] CSR Written to $scriptpath\currentcsr.txt" | |
| $gotCSR=$true | |
| } | |
| else { | |
| Write-Output "[logging] CSR Generation Failed. Skipping..." | |
| Write-Output "------------------------------------------------------`n" | |
| $skippedreport += "$interface - CSR Failed" | |
| continue | |
| } | |
| } | |
| else { | |
| Write-Output "[logging] iLO Generating CSR. Script sleeping 120 seconds.." | |
| Start-Sleep -Seconds 120 | |
| $iLOCSR = Get-HPiLOCertificateSigningRequest -Server $interface -Username $striLOUsername -Password $striLOPassword | |
| } | |
| } | |
| write-output "[logging] Signing Certificate with $certificateserver" | |
| if (Test-Path $scriptpath\currentcert.cer) { | |
| Remove-Item $scriptpath\currentcert.cer | |
| } | |
| certreq.exe -config $certificateserver -attrib "CertificateTemplate:$certificatetemplate" "$scriptpath\currentcsr.txt" "$scriptpath\currentcert.cer" |Out-Null | |
| if (Test-Path $scriptpath\currentcert.cer) { | |
| write-output "[logging] Installing Certificate on iLO" | |
| $certificate = Get-Content "$scriptpath\currentcert.cer" -Raw | |
| Import-HPiLOCertificate -Server $interface -Username $striLOUsername -Password $striLOPassword -Certificate $certificate | |
| } | |
| else { | |
| write-output "[logging] Can't Find Signed Certificate, Skipping..." | |
| $skippedreport += "$interface - Unable to install Signed Cert" | |
| } | |
| Write-Output "------------------------------------------------------`n" | |
| } | |
| else { | |
| write-output "[logging] Interface Unreachable/Excluded, Skipping..." | |
| Write-Output "------------------------------------------------------`n" | |
| $skippedreport += "$interface - Unreachable/Excluded" | |
| } | |
| } | |
| Write-Output "Hosts Skipped:" | |
| Write-Output "------------------------" | |
| $skippedreport | |
| Write-Output "`n" |
Hi,
The generated certificate is depending on the "Get-HPiLOCertificateSigningRequest" Cmdlet, which creates the Signing Request. As I remember, this Cmdlet has the same capability as the iLO 5 UI. Is there an option available to add a SAN?
Uploading a Custom Cert including a private key seems not possible.
So if I put a good certificate with the alternative name it'll work OK with
this beautiful script?
Is that correct?
Thanks
AndyW
…On Tue, 24 Nov 2020, 19:11 Markus Kraus, ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
Hi,
The generated certificate is depending on the
"Get-HPiLOCertificateSigningRequest" Cmdlet, which creates the Signing
Request. As I remember, this Cmdlet has the same capability as the iLO 5
UI. Is there an option available to add a SAN?
Uploading a Custom Cert including a private key seems not possible.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://gist.github.com/002a1ee6a8ca7ba493de#gistcomment-3539170>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEBZANQOREDVZJV6VQAYRETSRQAMLANCNFSM4UA2SBIQ>
.
No, it won't. The script is limited to the generated signing request. If the iLO 5 doesn't let you add a SAN you are not able to modify the signing request.
Thanks for the reply. Really appreciate it
…On Thu, 26 Nov 2020, 18:55 Markus Kraus, ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
No, it won't. The script is limited to the generated signing request. If
the iLO 5 doesn't let you add a SAN you are not able to modify the signing
request.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://gist.github.com/002a1ee6a8ca7ba493de#gistcomment-3541467>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEBZANRHDZJ7QZYX6FTCBC3SR2QBRANCNFSM4UA2SBIQ>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I'm running the version from Jan 2011. The certificate is being read but this doesn't have an alternative name (Which Chrome likes). Is there a way to modify the script to add an alternative name to certificates if the existing certificate does not have one. Even just an arbitrary string just so that the alternative name in the certificate is present.
Love the work! Hope you and your family are safe and well.
-ActionParsnip