Certificate validation

HPE OneView performs certificate validation for all Transport Layer Security (TLS) communications between the appliance and external servers or devices. These checks guarantee confidentiality, integrity, and authentication with the remote end-point.

In production environments, Hewlett Packard Enterprise strongly recommends that certificate validation be enabled. In environments where security is not a concern, such as a testing environment, certificate validation can optionally be disabled.

If certificate validation is disabled, any sensitive data such as credentials are transmitted insecurely. Make sure to use only local user accounts and not enterprise directory-based accounts to avoid transmitting enterprise login credentials over the network when certificate validation is disabled.

When disabled, the appliance does not perform trust checks for any HTTPS communications.

When enabled, the certificate trust checking is performed. Self-signed certificates must be present in the trust store and CA-signed certificates must have their CA root and any intermediaries present in the trust store.

You can enable the check for expired leaf certificates by selecting the check box Check for expired leaf certificates in the certificate screen. Enabling the option allows the appliance to perform expiry checks on the device leaf certificate and self-signed certificates during communication. By default, Check for expired leaf certificates option is disabled.
NOTE:

The Check for expired leaf certificates option validates only the device leaf certificate and it is not applicable to the CA certificates that are presented to HPE OneView by the device during communication.

NOTE:

When upgrading from earlier releases, the certificates in use by the currently monitored or managed devices are imported into the HPE OneView trust store and alerts are generated for issues such as expired certificates. These automatically added certificates are either a device's self-signed certificate or the leaf certificate for a certificate authority (CA) signed certificate. Using CA-signed certificates can simplify the device trust process.

Certificate checking is enabled by default, but some of the stricter validation checks are relaxed to maintain communications with all devices, even those with certificate issues. The relaxed checking gives the administrator time to address any expired certificates, to upload trusted CA root and intermediate certificates, and upload the appropriate CRLs. The addition of a CA root certificate to the trust store activates stricter certificate validations. Ensure that the common name of all the device certificates signed by the CA match the hostname of the device. A mismatch may result in loss of trusted communication with any previously added managed devices that is signed by the CA.

NOTE:

During communication from the appliance to managed devices or external servers, when the certificate is presented, expiration check is not performed on the following types of leaf certificates:

  • Self-signed certificates: See Certificate management for additional information on self-signed certificates.

  • Pinned CA-signed certificates: A pinned certificate refers to the copy of a CA-signed leaf certificate that belongs to a managed device or external server saved to the appliance trust store.

Hewlett Packard Enterprise strongly recommends that you enable strict certificate validation checks through the Manage certificates screen after completing an update as appropriate for your enterprise security policies. From this screen, you can filter certificates based on status, edit a certificate, delete a certificate, add a certificate, and search certificates. You can search on certificates using name, state, or expiration date. Only the first 100 certificates are shown in the search result.

HPE OneView supports devices using self-signed certificates and devices using formal CA-signed certificates. CA-signed certificates offer benefits such as revocation checking and overall simplified management.

HPE OneView enables users to import a CA CRL file and to perform the appropriate revocation checking on existing certificates in the trust store and for certificates received during communication with a managed device or external server.

Certificate revocation list (CRL)

A certificate revocation list (CRL) for short, is a list of certificates that is revoked before their expiry date by the certificate authorities. A CRL is used to ensure that a digital certificate has not become invalid.

Certificate revocation checks are enabled by default. However, if a matching CRL has not been imported for a CA-issued certificate, or if a CRL has expired, the appliance can be configured to bypass the revocation check for the associated certificate when establishing an HTTPS connection.

You can enable or disable validation of revoked certificates on the Certificate screen to check the certificates against CRLs that are already uploaded.

HPE OneView controls the way CRLs are handled. You can use the following options on the Certificate screen:
  • Skip revocation checks when a CRL is not available

    This option controls whether HPE OneView treats a missing CRL as an error during certificate validation. By default, this option is enabled and HPE OneView performs overall certificate validation with the exception of revocation checking.

  • Allow expired CRLs

    This setting controls how HPE OneView treats expired CRLs. When enabled, HPE OneView allows CRLs that are expired and continues to perform the revocation checks for that CRL. See Notify missing or expired CRLs to post alerts that remind the administrator to update the expired CRL.

  • Send CRL status notifications

    When enabled, alerts are displayed when there is no CRL uploaded for a CA, a CRL is about to expire, or a CRL has already expired.

  • Automatic CRL downloading

    When enabled, HPE OneView automatically downloads the CRLs for all the CAs that exist in the appliance. By default, the option is disabled.

More Information