Closed stranger12345678 closed 2 years ago
Hi @stranger12345678
SCP does support importing certs but not signed CA certs. This support though will be coming in a future iDRAC release.
But you can import CA cert for directory service using "ExportImportSSLCertificateREDFISH.py" script. Please review the help text for details (see below in bold, option to import this cert type).
C:\Python39>ExportImportSSLCertificateREDFISH.py -h usage: ExportImportSSLCertificateREDFISH.py [-h] -ip IP -u U -p P [-e E] [-i I] [-sct SCT] [-ct CT] [-scf SCF]
Python script using Redfish API with OEM extension to either export or import SSL certificate locally
positional arguments: script_examples ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -e y -sct 1", this example will export Web Server Certificate locally - "ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 4 -scf ssl_cert.pem", this example will import client trust certificate
optional arguments: -h, --help show this help message and exit -ip IP iDRAC IP address -u U iDRAC username -p P iDRAC password -e E Export SSL cert, pass in "y". Argument -sct is also required for export SSL cert -i I Import SSL cert, pass in "y". Argument -ct and -scf is also required for import SSL cert -sct SCT Pass in SSL cert type for export. Supported values are: 1 for "Server"(Web Server Certificate), 2 for "CSC"(Custom Signing Certificate), 3 for "CA"(CA certificate for Directory Service:), 4 for "ClientTrustCertificate" -ct CT Pass in cert type for import. Supported values are: 1 for "Server"(Web Server Certificate), 2 for "CSC"(Custom Signing Certificate), 3 for "CA"(CA certificate for Directory Service), 4 for "ClientTrustCertificate" -scf SCF Pass in the file name which contains the certificate to import. Cert file contents should start with open tag "-----BEGIN CERTIFICATE-----" and end tag "-----END CERTIFICATE-----"
How do we import CA SSL cert for secure ldap ? I see attribute for certificate validation:
<Attribute Name="ActiveDirectory.1#CertValidationEnable">Enabled</Attribute>
But unsure how to Upload Directory Service CA Certificate using SCP or any other API