Solved: HP DreamColor Z27x G2 - not able to create / install client ... - HP Support Community

heiko-s · ‎12-29-2020

The HP DreamColor Z27x G2 screen allows for managing the display via https. To do so, one has to create and install several TLS certificates. I've followed the instructions of the "Remote Management setup for HP DreamColor Z31x/Z27xG2 Display" manual to the point, but the client certificate is always rejected.

I use openssl on Linux to create the self-signed CA certificate that is required. Here are the steps from the HP instructions:

openssl genrsa -out ca.key 2048

openssl req -new -key ca.key -out ca.csr

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out serverCA.crt

openssl genrsa -out client.key 2048

openssl req -new -key client.key -out client.csr

openssl x509 -req -days 365 -in client.csr -signkey ca.key -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Note that the above command gives an error:

No certificate matches private key

I've tried everything, to no avail. The above command works fine when I specify ca.key as the -inkey. But then the display refuses that client.p12 file with an error.

I've repeated the instructions several times, and have also shortened or modified the steps. But the monitor would not install the client certificate.

Nate that I have successfully created and installed the server certificates, in a similar way using openssl.

Please help!

heiko-s · ‎12-30-2020

I found the solution. Here are the steps that differ from the instructions in the manual:

Create PKCS#12 document from the client private key and signed certificate

openssl pkcs12 -export -clcerts -out client.p12 -inkey ca.key -in client.crt

Note the -inkey ca.key !!!

Copying this key to the screen using a USB stick doesn't work. The screen/server correctly identifies the client.p12 file when zipped into ClientCertificate.zip, but installing it using the OSD fails with an error.

What did work is the following:

1. Connect to the HP screen / remote management server via web browser using http://

2. Select "Monitor Profile" from the "DreamColor Remote Access" drop-down menu.

3. Under "Certificates" there should already be a client certificate issues by HP. In any case, click "Add" and upload your own client.p12 certificate. If necessary, confirm overwriting the existing client certificate.

4. Follow the instructions in the "Remote Management setup for HP
DreamColor Z31x/Z27xG2 Display" technical white paper on how to install the client.p12 certificates in your browser.

5. Enable https via OSD.

6. When connecting to the remote management server in the HP DreamColor screen, your browser will of course complain about the self-signed certificate. Just click Advanced or whatever and confirm that you know what you are doing and that you wish to connect. That's it.

Hope someone at HP reads this and have HP fix the documentation.

View solution in original post

heiko-s · ‎12-30-2020