Problems with HP iLO using SCEP

[smoeding]

I am trying to issue certificates for an HP iLO using the SCEP provisioner. iLO is the embedded management controller in an enterprise HP server. It provides a web interface to manage the server and I want to replace the untrusted default certificate with a certificate using our internal CA.

Unfortunately it doesn’t work and I am running out of ideas. I don’t think that my problem is really caused by step-ca, but I am wondering if anybody has seen anything like this and may have a suggestion on how to go forward.

My company uses an internal 4096 bit RSA root CA certificate. I have used that to create an intermediate certificate for step-ca which basically looks like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1374742143 (0x51f0e67f)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Company Root R1
        Validity
            Not Before: Apr 14 00:00:00 2026 GMT
            Not After : Oct 29 23:59:59 2035 GMT
        Subject: CN=Company SCEP R2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [...deleted...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                47:5E:22:6C:D6:FF:A2:52:2A:A9:86:32:5B:C5:CD:45:76:9B:52:C1
            X509v3 Authority Key Identifier:
                60:73:4F:2A:F6:9A:3B:89:EA:EC:44:B0:44:30:18:F0:36:AD:E6:B0
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.4.1.311.20.2.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        [...deleted...]

The OID 1.3.6.1.4.1.311.20.2.1 is mentioned in Microsoft documents describing their NDES implementation. I added that during debugging but it hasn’t changed anything.

The logs always look like this:

time="2026-04-21T13:06:53+02:00" level=info duration="156.04µs" duration-ns=156040 fields.time="2026-04-21T13:06:53+02:00" method=GET name=ca path="/scep/COMPANY?operation=GetCACaps" protocol=HTTP/1.1 referer= remote-address=10.71.181.41 request-id=549ea514-e308-4ccb-a371-290b95891f46 size=66 status=200 user-agent= user-id=
time="2026-04-21T13:06:53+02:00" level=info duration="64.471µs" duration-ns=64471 fields.time="2026-04-21T13:06:53+02:00" method=GET name=ca path="/scep/COMPANY?operation=GetCACert" protocol=HTTP/1.1 referer= remote-address=10.71.181.41 request-id=430da8e3-f2e9-4fc6-a08f-e63a494ee862 size=1152 status=200 user-agent= user-id=
time="2026-04-21T13:08:54+02:00" level=info duration="89.125µs" duration-ns=89125 fields.time="2026-04-21T13:08:54+02:00" method=GET name=ca path="/scep/COMPANY?operation=GetCACaps" protocol=HTTP/1.1 referer= remote-address=10.71.181.41 request-id=445fd023-6f0e-4878-af03-4e930a792067 size=66 status=200 user-agent= user-id=

As you can see there is a GetCACaps and a GetCACert call. Then after a delay another GetCACaps call. After that the iLO says Certificate Enrollment Status pending on the web page. No PKIOperation call follows so it is clear that the iLO doesn’t even try to request a certificate. Unfortunately the iLO is an embedded system without any access to internal logs.

To mee it looks like the iLO doesn't like the intermediate cert because that is all it has seen when going into the pending state. I also waited for a couple of hours but the pending state is never cleared.

Any ideas/suggestions what to change?

[hslatman]

Hey @smoeding, there's an issue discussing HP iLO, and it came down to iLO not liking a leaf being issued from an intermediate, but would only accept one from a root, apparently: #2181. It's an ... interesting implementation choice, if it turns out to be true. It might be the case they expect a root to sign the cert, but still support an Registration Authority to receive the request initially, which is basically what decrypter certificates are used for on a SCEP provisioner, but it would still be different from our general two-tier PKI.

You could give it a try with a single tier PKI, meaning you'll need an RSA root configured as the root and intermediate. It's an unsupported configuration in step-ca, and I never tried it myself, but it might work.

[smoeding]

Thanks for your feedback, @hslatman

I read the linked issue and also found an old discussion on a HP Forum that the iLO doesn't like an intermediate certificate. Someone from HP wrote that this restriction would be solved with an updated firmware but it's unclear if that has really happened.

Anyway, I started to play with the decrypterKey/Cert options and at least a got the iLO to actually request a cert from the CA now. I will have to do more testing with that.