Import-Module HPEiLOCmdlets $iLOCred = $PrvCred # Connect to OneView, Get list of servers Connect-OVMgmt -Hostname itdmdnsyncompt1.nd.gov -Credential $PrvCred -AuthLoginDomain nd.gov -LoginAcknowledge $AllOVServers = Get-OVServer $iLOToRenew = @() ForEach ($OVServer in $AllOVServers) { Write-Warning -Message ($OVServer.ServerName) $iLODnsName = $null $iLODnsName = $OVServer.ServerName.split('.')[0] + "lo.nd.gov" # is iLO cert about to expire? $tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443) $ssl = New-Object Net.Security.SslStream( $tcp.GetStream(), $false, ({ $true }) # accept any cert ) $ssl.AuthenticateAsClient($iLODnsName) $cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate $ssl.Dispose() $tcp.Dispose() If ( $cert.NotAfter.AddDays(-30) -le (Get-Date) ) { Write-Warning -Message "Certificate for $iLODnsName expires on $($cert.NotAfter), add to renewal list." $iLOToRenew += $iLODnsName } If ( $cert.subject -notlike "*.nd.gov*") { Write-Warning -Message "Certificate for $iLODnsName is not a ND.gov cert, add to renewal list." $iLOToRenew += $iLODnsName } } $iloToRenew = $iLOToRenew | Select-Object -Unique Write-Verbose -Message "Loop through iLOs to generate CSRs and request certs" $iLOConnections = ForEach ($iLOFqdn in $iLOToRenew) { Connect-HPEiLO -Address $iLOFqdn -Credential $iLOCred -DisableCertificateAuthentication } # Get-HPEiLOSSLCertificateInfo -Connection $iLOConnections -ov x Write-Verbose -Message ([string]$iLOConnections.count + " iLO Connections established.") -Verbose ForEach ($iLOConnection in $iLOConnections) { Start-HPEiLOCertificateSigningRequest -Connection $iLOConnection ` -CommonName $iloConnection.Hostname ` -Organization "State of North Dakota" ` -Country US ` -City Bismarck ` -State "North Dakota" ` -OrganizationalUnit NDIT } Start-Sleep -Seconds 30 ## for some reason iLO needs time to generate a CSR # set static values while we wait $RequesterEmail = 'vmware@nd.gov' $ServerType = "Linux" $Format = "x509CO" $OrgId = 8133 $OrderIds = @() ForEach ($iloConnection in $iLOConnections) { Write-Verbose -Message "Getting CSR for $($iLOConnection.Hostname)" $CsrData = $null While ($CsrData.CertificateSigningRequest -eq $null) { try { $CsrData = Get-HPEiLOCertificateSigningRequest -Connection $iLOConnection } catch { Write-Warning -Message "CSR not ready yet for $($iLOConnection.Hostname), waiting 10 seconds." Start-Sleep -Seconds 10 } } $AuthBody = @{ grant_type = 'client_credentials' client_id = $SectigoAPIKey.UserName client_secret = $SectigoAPIKey.GetNetworkCredential().Password } $AuthBaseAPIUrl = 'https://auth.sso.sectigo.com' $BaseAPIUrl = 'https://admin.hard.sectigo.com' $tokenEndpoint = $AuthBaseAPIUrl + '/auth/realms/apiclients/protocol/openid-connect/token' $tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody $env:SectigoToken = $tokenResponse.access_token $headers = @{ "Authorization" = "Bearer $env:SectigoToken" "Content-Type" = "application/json" } If ($env:SectigoToken) { Write-Warning -Message ("Sectigo Token Set " + $env:SectigoToken) } [string]$RequestUrl = $BaseAPIUrl + "/api/ssl/v1/enroll" $CertType = 2375 $ServerTypeCode = 'Linux' $EnrollBody = @{ orgId = $OrgId; certType = $CertType term = 365; comments = "iLO Certificate Renewal for $($iloConnection.Hostname)" serverType = $ServerTypeCode csr = $CsrData.CertificateSigningRequest externalRequester = "vmware@nd.gov" customFields = @( @{ name = 'ApplicationName' value = 'Infra-VMware' } ) } $InvokeRestMethodParams = @{ Uri = $RequestUrl Method = 'Post' Headers = $headers Body = ($EnrollBody | ConvertTo-Json -Depth 10) ContentType = 'application/json' } $Response = Invoke-RestMethod @InvokeRestMethodParams #actual enrollment/request $OrderIds += $Response.sslId } <## approval step -- can't approve own requests, need alternate method... auto-approval of some kind? $ApproveUrl = $BaseAPIUrl + "/api/ssl/v1/approve/${OrderId}" $ApproveBody = @{ message = 'Approved VMware Auto' } $ApproveSplat = @{ Uri = $ApproveUrl Method = 'Post' Headers = $headers Body = ($ApproveBody) | ConvertTo-Json ContentType = 'application/json' } Invoke-RestMethod @ApproveSplat #> ## download the certificate - the first link email / "Certificate only, PEM encoded" ### re-establish token with Sectigo $tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody $env:SectigoToken = $tokenResponse.access_token $headers = @{ "Authorization" = "Bearer $env:SectigoToken" "Content-Type" = "application/json" } $Format = 'x509CO' ForEach ($OrderId in $OrderIds) { $Certificate = $null While ($Certificate.status -ne "Issued") { $ValidateUrl = "${BaseAPIUrl}/api/ssl/v1/${OrderId}" $ValidateSplat = @{ Uri = $ValidateUrl Method = 'Get' Headers = $headers } $Certificate = Invoke-RestMethod @ValidateSplat } $CollectUrl = $BaseAPIUrl + "/api/ssl/v1/collect/${OrderId}?format=${Format}" $CommonName = $Certificate.commonName $DownloadSplat = @{ Uri = $CollectUrl Method = 'Get' Headers = $headers UseBasicParsing = $true } Invoke-WebRequest @DownloadSplat -OutFile "C:\certs\$CommonName-$OrderId.pem" } ## set new certs on iLOs $Certs = Get-ChildItem -Path "C:\certs\" -Filter "*.pem" ForEach ($iLOConnection in $iLOConnections) { Write-Verbose -Message "Uploading certificate to $($iLOConnection.Hostname)" -Verbose $CertFileToUse = $Certs | Where-Object { $_.Name -like "$($iLOConnection.Hostname)*" } $Cert = Get-Content -Path $CertFileToUse.FullName Import-HPEiLOCertificate -Certificate ($Cert | Out-String) -Connection $iLOConnection -Force } ForEach ($iLODnsName in $iLOToRenew) { # is iLO cert about to expire? $tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443) $ssl = New-Object Net.Security.SslStream( $tcp.GetStream(), $false, ({ $true }) # accept any cert ) $ssl.AuthenticateAsClient($iLODnsName) $newcert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate $ssl.Dispose() $tcp.Dispose() $NewCert | select @{n='zSubject'; e={$NewCert.Subject.split(',')[0]}}, NotBefore, NotAfter }