Last active
August 20, 2024 14:47
-
-
Save tomohulk/4ddb9a0e8feb3768c742b5cf867a0cb8 to your computer and use it in GitHub Desktop.
Create and install a PKI Certificate on HPE iLO.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -Modules HPEiLOCmdlets | |
| [CmdletBinding( | |
| [PSCustomObject] | |
| )] | |
| [OutputType()] | |
| param ( | |
| [Parameter( | |
| Mandatory = $true | |
| )] | |
| [PSCredential] | |
| $Credential, | |
| [Parameter( | |
| Mandatory = $true, | |
| ValueFromPipeline = $true, | |
| ValueFromPipelineByPropertyName = $true | |
| )] | |
| [Alias( | |
| "CommonName" | |
| )] | |
| [String[]] | |
| $iLOFQDN, | |
| # In order to use this Parameter, you must have a local Enrollment Agent cert to modify the CSR. | |
| # You will get prompted to sign the CSR with a Smart Card, cancel this. | |
| # There is currently, no way to my knowlage to auto select the EA Cert, so you will have to select 'Ok' on this prompt. | |
| [Parameter()] | |
| [Switch] | |
| $IncludeShortNameSAN, | |
| [Parameter()] | |
| [Alias( | |
| "C" | |
| )] | |
| [String] | |
| $Country = "US", | |
| [Parameter()] | |
| [Alias( | |
| "ST", "Province" | |
| )] | |
| [String] | |
| $State = "Michigan", | |
| [Parameter()] | |
| [Alias( | |
| "L", "City" | |
| )] | |
| [String] | |
| $Locality = "Grand Rapids", | |
| [Parameter()] | |
| [Alias( | |
| "O" | |
| )] | |
| [String] | |
| $Organization = "Stark Industries", | |
| [Parameter()] | |
| [Alias( | |
| "OU" | |
| )] | |
| [String] | |
| $OrganizationalUnit = "IT", | |
| [Parameter()] | |
| [Switch] | |
| $IncludeiLOIP, | |
| [Parameter()] | |
| [Alias( | |
| "CA" | |
| )] | |
| [String] | |
| $CertificateAuthorityName = "ca.my.org\ca", | |
| [Parameter()] | |
| [String] | |
| $CertificateTemplateName = "WebServer" | |
| ) | |
| process { | |
| foreach ($ilo in $iLOFQDN.ToUpper()) { | |
| try { | |
| $connection = Connect-HPEiLO -IP $ilo -Credential $Credential -DisableCertificateAuthentication -ErrorAction Stop | |
| } catch { | |
| $PSCmdlet.ThrowTerminatingError( | |
| $_ | |
| ) | |
| exit | |
| } | |
| # Only check the firmware version level for iLO 4. | |
| $firmware = Get-HPEiLOFirmwareVersion -Connection $connection | |
| if ($firmware.ManagerType -ne "iLO 5") { | |
| if ([Version]$firmware.FirmwareVersion -lt [Version]"2.70"){ | |
| throw "The HPE iLO Firmware needs to be updated to continue." | |
| exit | |
| } | |
| } | |
| $csrParameters = @{ | |
| Connection = $connection | |
| Country = $Country | |
| State = $State | |
| City = $Locality | |
| Organization = $Organization | |
| OrganizationalUnit = $OrganizationalUnit | |
| CommonName = $ilo | |
| } | |
| if ($PSBoundParameters.ContainsKey( "IncludeiLOIP" )) { | |
| $csrParameters.Add( | |
| "IncludeiLOIP", $null | |
| ) | |
| } | |
| Start-HPEiLOCertificateSigningRequest @csrParameters | | |
| Out-Null | |
| $csr = $null | |
| while ([String]::IsNullOrEmpty( $csr )) { | |
| $csr = Get-HPEiLOCertificateSigningRequest -Connection $connection | | |
| Select-Object -ExpandProperty CertificateSigningRequest | |
| Start-Sleep -Seconds 5 | |
| } | |
| $guid = New-Guid | | |
| Select-Object -ExpandProperty Guid | |
| $csrOutputPath = Join-Path -Path $env:TEMP -ChildPath "${guid}.csr" | |
| Out-File -FilePath $csrOutputPath -InputObject $csr -Encoding ascii | |
| if ($IncludeShortNameSAN.IsPresent) { | |
| $shortName = $ilo.Split(".")[0] | |
| $infInputObject = "[Extensions]`r`n2.5.29.17 = `"{text}`"`r`n_continue_ = `"DNS=${shortName}&`"`r`n_continue_ = `"DNS=${ilo}`"" | |
| $infOutputPath = Join-Path -Path $env:TEMP -ChildPath "${guid}.inf" | |
| Out-File -FilePath $infOutputPath -InputObject $infInputObject -Encoding ascii | |
| $csrOutputPathResigned = Join-Path -Path $env:TEMP -ChildPath "${guid}_resigned.csr" | |
| certreq.exe -policy $csrOutputPath $infOutputPath $csrOutputPathResigned | |
| $csrOutputPath = $csrOutputPathResigned | |
| } | |
| $pemOutputPath = Join-Path -Path $env:TEMP -ChildPath "${guid}.pem" | |
| certreq.exe -config $CertificateAuthorityName -submit -attrib "CertificateTemplate:${CertificateTemplateName}" $csrOutputPath $pemOutputPath | | |
| Out-Null | |
| $certificate = Get-Content -Path $pemOutputPath -Raw | |
| $response = Import-HPEiLOCertificate -Connection $connection -Certificate "$certificate" | |
| [PSCustomObject]@{ | |
| HostName = $ilo | |
| Result = $response.StatusInfo.Message | |
| } | |
| Get-ChildItem -Path $env:TEMP -Filter "$guid*" | | |
| Remove-Item -Force -Confirm:$false -ErrorAction SilentlyContinue | |
| Disconnect-HPEiLO -Connection $connection | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
In the Remove-Item statement for $pemOutputPath the -Filter parameter was used rather than -Force as intended based on the previous command for $csrOutputPath. That's tab completion for you. Hard to miss without a fresh set of eyes.
Thanks for making this public for all of us HPE admins out there, it's much appreciated!