Understanding the security features of HPE OneView > Managing certificates from a browser

  

 next

Managing certificates from a browser

A certificate authenticates the appliance over SSL. The certificate contains a public key, and the appliance maintains the corresponding private key, which is uniquely tied to the public key.
[NOTE: ]

NOTE: This section discusses certificate management from the perspective of the browser. For information on how a non-browser client (such as cURL) uses the certificate, see the documentation for that client.

The certificate also contains the name of the appliance, which the SSL client uses to identify the appliance.

The certificate has the following boxes:

  • Common Name (CN)

    This name is required. By default it contains the fully qualified host name of the appliance.

  • Alternative Name

    The name is optional, but Hewlett Packard Enterprise recommends supplying it because it supports multiple names (including IP addresses) to minimize name-mismatch warnings from the browser.

    By default, this name is populated with the fully qualified host name (if DNS is in use), a short host name, and the appliance IP address.
    [NOTE: ]

    NOTE: If you enter Alternative Names, one of them must be your entry for the Common Name.

These names can be changed when you manually create a self-signed certificate or a certificate signing request.

Self-signed certificate

The default certificate generated by the appliance is self-signed; it is not issued by a trusted certificate authority.

By default, browsers do not trust self-signed certificates because they lack prior knowledge of them. The browser displays a warning dialog box; you can use it to examine the content of the self-signed certificate before accepting it.

Using a certificate authority

Use a trusted CA (certificate authority) to simplify certificate trust management; the CA issues certificates that you import. If the browser is configured to trust the CA, certificates signed by the CA are also trusted. A CA can be internal (operated and maintained by your organization) or external (operated and maintained by a third party).

You can import a certificate signed by a CA, and using it instead of the self-signed certificate. The overall steps are as follows:

  1. You generate a CSR (certificate signing request).

  2. You copy the CSR and submit it to the CA, as instructed by the CA.

  3. The CA authenticates the requestor.

  4. The CA sends the certificate to you, as stipulated by the CA.

  5. You import the certificate.

prev

 

up

 next

Appliance access over SSL 

home

 Nonbrowser clients

Copyright © 2013-2016 Hewlett Packard Enterprise Development LP