Loading...
Loading...
A supplier notified HPE that the Security Protocol Data Model (SPDM) Certificates injected into the SSD devices listed in the Scope section below were incorrectly set with an expiration date 25 months from manufacture, versus a 12/31/9999 date (i.e., non-expiring date), as originally intended. As a result, the earliest shipments of drives contain certificates that expire beginning in mid-April 2025.On HPE Gen11 platforms, if the "Global Component Integrity" feature in Integrated Lights-Out (iLO) has been enabled and the "Component Integrity Policy" has been set to "Halt Boot on SPDM failure" as shown in Screenshot 1, a drive with an expired SPDM certificate will result in the server halting boot as shown in Screenshot 2, after the expiration date has passed.Screenshot 1: iLO Configuration to Enable Global Component Integrity and the Policy:IMPORTANT:When "Global Component Integrity" remains at the default "Disabled" setting, no functional issues occur, and no error messages are generated. When "Global Component Integrity" is enabled but the "Component Integrity Policy" is set to "No Policy," error messages will be logged in the Security Log, but no functional issues will occur.IMPORTANT:Certificates will begin expiring on non-15TB drive models in mid-April 2025. Certificates on 15TB drive models will begin expiring in June 2026.Reference the following screenshots for additional information regarding error messages:Integrated Management Log (IML) Error Message(text):Component Integrity Failure. Installed devices did not meet the Component Integrity Policy. Check the Security Log for more details. System Halted!Security Log Error Message(text):SPDM device at location Embedded:Port=6A:Box=1:Bay=1 could not be authenticated (reason Certificate Authentication Failed)Screenshot 2: Console Error Message when "Halt Boot on SPDM failure" is selected:
Any HPE Gen11 platform configured with the following SSD models with SSD firmware versions HPK1, HPS1 and HPZ1 and the "Global Component Integrity" feature in Integrated Lights-Out (iLO) has been enabled and the "Component Integrity Policy" has been set to "Halt Boot on SPDM failure:"HPE SSD Model Number:MO006400KXPABMO001600KXNZVVO001920KXNZQVO007680KXNZTMO003200KXPAAMO000800KXNXHVO003840KXNZRVO000960KXNXDVO003840KYDZNVO001920KYDZLMO003200KYDZTMO000800KYDZKMO006400KYDZUMO001600KYDZRVO000960KYDZHVO001536KYDZQVO007680KYDZPSSD Model Description and Part Number DetailsHPE Model NumberHPE SKUHPE SKU DescriptionHPE Spare Part NumberRaw PartMO006400KXPABP47822-B21HPE 6.4TB NVMe MU SFF SCN U.2 MV SSDP48127-001P54270-004MO006400KXPABP47836-B21HPE 6.4TB NVMe MU SFF SC U.3ST MV SSDP48215-001P54270-004MO006400KXPABP47840-B21HPE 6.4TB NVMe MU SFF BC U.3ST MV SSDP48219-001P54270-004MO006400KXPABP64886-B21HPE 6.4TB NVMe MU SFF SCN U.2 V2 MV SSDP65210-001P54270-004MO006400KXPABP65019-B21HPE 6.4T NVMe MU SFF SC U.3ST V2 MV SSDP65206-001P54270-004MO006400KXPABP65023-B21HPE 6.4T NVMe MU SFF BC U.3ST V2 MV SSDP65207-001P54270-004MO001600KXNZVP47820-B21HPE 1.6TB NVMe MU SFF SCN U.2 MV SSDP48125-001P54270-002MO001600KXNZVP47834-B21HPE 1.6TB NVMe MU SFF SC U.3ST MV SSDP48213-001P54270-002MO001600KXNZVP47838-B21HPE 1.6TB NVMe MU SFF BC U.3ST MV SSDP48217-001P54270-002MO001600KXNZVP64870-B21HPE 1.6TB NVMe MU SFF SCN U.2 V2 MV SSDP65208-001P54270-002MO001600KXNZVP65003-B21HPE 1.6T NVMe MU SFF SC U.3ST V2 MV SSDP65202-001P54270-002MO001600KXNZVP65007-B21HPE 1.6T NVMe MU SFF BC U.3ST V2 MV SSDP65203-001P54270-002MO001600KXNZVP66798-B21HPE 1.6TB NVMe MU SFF SCN U.2 PVT SSDP67203-001P54270-002MO001600KXNZVP66799-B21HPE 1.6TB NVMe MU SFF BC U.3ST PVT SSDP67204-001P54270-002VO001920KXNZQP47823-B21HPE 1.92TB NVMe RI SFF SCN U.2 MV SSDP48128-001P54267-002VO001920KXNZQP47841-B21HPE 1.92TB NVMe RI SFF SC U.3ST MV SSDP48220-001P54267-002VO001920KXNZQP47845-B21HPE 1.92TB NVMe RI SFF BC U.3ST MV SSDP48224-001P54267-002VO001920KXNZQP64843-B21HPE 1.92T NVMeRI SFF SC U.3ST V2 MV SSDP65192-001P54267-002VO001920KXNZQP64844-B21HPE 1.92T NVMeRI SFF BC U.3ST V2 MV SSDP65193-001P54267-002VO001920KXNZQP64874-B21HPE 1.92T NVMe RI SFF SCN U.2 V2 MV SSDP65198-001P54267-002VO001920KXNZQP66847-B21HPE 1.92TB NVMe RI SFF BC U.3ST PVT SSDP67229-001P54267-002VO001920KXNZQP66849-B21HPE 1.92TB NVMe RI SFF SC U.3ST PVT SSDP67230-001P54267-002VO001920KXNZQP66851-B21HPE 1.92TB NVMe RI SFF SCN U.2 PVT SSDP67231-001P54267-002VO007680KXNZTP47825-B21HPE 7.68TB NVMe RI SFF SCN U.2 MV SSDP48130-001P54267-004VO007680KXNZTP47843-B21HPE 7.68TB NVMe RI SFF SC U.3ST MV SSDP48222-001P54267-004VO007680KXNZTP47847-B21HPE 7.68TB NVMe RI SFF BC U.3ST MV SSDP48226-001P54267-004VO007680KXNZTP64847-B21HPE 7.68T NVMeRI SFF SC U.3ST V2 MV SSDP65196-001P54267-004VO007680KXNZTP64848-B21HPE 7.68T NVMeRI SFF BC U.3ST V2 MV SSDP65197-001P54267-004VO007680KXNZTP64890-B21HPE 7.68TB NVMe RI SFF SCN U.2 V2 MV SSDP65200-001P54267-004MO003200KXPAAP47821-B21HPE 3.2TB NVMe MU SFF SCN U.2 MV SSDP48126-001P54270-003MO003200KXPAAP47835-B21HPE 3.2TB NVMe MU SFF SC U.3ST MV SSDP48214-001P54270-003MO003200KXPAAP47839-B21HPE 3.2TB NVMe MU SFF BC U.3ST MV SSDP48218-001P54270-003MO003200KXPAAP64878-B21HPE 3.2TB NVMe MU SFF SCN U.2 V2 MV SSDP65209-001P54270-003MO003200KXPAAP65011-B21HPE 3.2T NVMe MU SFF SC U.3ST V2 MV SSDP65204-001P54270-003MO003200KXPAAP65015-B21HPE 3.2T NVMe MU SFF BC U.3ST V2 MV SSDP65205-001P54270-003MO000800KXNXHP47837-B21HPE 800GB NVMe MU SFF BC U.3ST MV SSDP48216-001P54270-001MO000800KXNXHP64999-B21HPE 800G NVMe MU SFF BC U.3ST V2 MV SSDP65201-001P54270-001MO000800KXNXHP66797-B21HPE 800GB NVMe MU SFF BC U.3ST PVT SSDP67202-001P54270-001VO003840KXNZRP47824-B21HPE 3.84TB NVMe RI SFF SCN U.2 MV SSDP48129-001P54267-003VO003840KXNZRP47842-B21HPE 3.84TB NVMe RI SFF SC U.3ST MV SSDP48221-001P54267-003VO003840KXNZRP47846-B21HPE 3.84TB NVMe RI SFF BC U.3ST MV SSDP48225-001P54267-003VO003840KXNZRP64845-B21HPE 3.84T NVMeRI SFF SC U.3ST V2 MV SSDP65194-001P54267-003VO003840KXNZRP64846-B21HPE 3.84T NVMeRI SFF BC U.3ST V2 MV SSDP65195-001P54267-003VO003840KXNZRP64882-B21HPE 3.84T NVMe RI SFF SCN U.2 V2 MV SSDP65199-001P54267-003VO000960KXNXDP47844-B21HPE 960GB NVMe RI SFF BC U.3ST MV SSDP48223-001P54267-001VO000960KXNXDP64842-B21HPE 960G NVMe RI SFF BC U.3ST V2 MV SSDP65191-001P54267-001VO000960KXNXDP66845-B21HPE 960GB NVMe RI SFF BC U.3ST PVT SSDP67228-001P54267-001VO003840KYDZNP64882-B21HPE 3.84T NVMe RI SFF SCN U.2 V2 MV SSDP65199-001P66092-003VO003840KYDZNP64845-B21HPE 3.84T NVMeRI SFF SC U.3ST V2 MV SSDP65194-001P66092-003VO003840KYDZNP64846-B21HPE 3.84T NVMeRI SFF BC U.3ST V2 MV SSDP65195-001P66092-003VO001920KYDZLP64844-B21HPE 1.92T NVMeRI SFF BC U.3ST V2 MV SSDP65193-001P66092-002VO001920KYDZLP64843-B21HPE 1.92T NVMeRI SFF SC U.3ST V2 MV SSDP65192-001P66092-002VO001920KYDZLP64874-B21HPE 1.92T NVMe RI SFF SCN U.2 V2 MV SSDP65198-001P66092-002MO003200KYDZTP64878-B21HPE 3.2TB NVMe MU SFF SCN U.2 V2 MV SSDP65209-001P66093-003MO003200KYDZTP65011-B21HPE 3.2T NVMe MU SFF SC U.3ST V2 MV SSDP65204-001P66093-003MO003200KYDZTP65015-B21HPE 3.2T NVMe MU SFF BC U.3ST V2 MV SSDP65205-001P66093-003MO000800KYDZKP64999-B21HPE 800G NVMe MU SFF BC U.3ST V2 MV SSDP65201-001P66093-001MO006400KYDZUP64886-B21HPE 6.4TB NVMe MU SFF SCN U.2 V2 MV SSDP65210-001P66093-004MO006400KYDZUP65019-B21HPE 6.4T NVMe MU SFF SC U.3ST V2 MV SSDP65206-001P66093-004MO006400KYDZUP65023-B21HPE 6.4T NVMe MU SFF BC U.3ST V2 MV SSDP65207-001P66093-004MO001600KYDZRP64870-B21HPE 1.6TB NVMe MU SFF SCN U.2 V2 MV SSDP65208-001P66093-002MO001600KYDZRP65003-B21HPE 1.6T NVMe MU SFF SC U.3ST V2 MV SSDP65202-001P66093-002MO001600KYDZRP65007-B21HPE 1.6T NVMe MU SFF BC U.3ST V2 MV SSDP65203-001P66093-002VO000960KYDZHP64842-B21HPE 960G NVMe RI SFF BC U.3ST V2 MV SSDP65191-001P66092-001VO001536KYDZQP69255-B21HPE 15.36TB NVMe RI BC U.3ST SPDM MV SSDP69507-001P66092-005VO007680KYDZPP64890-B21HPE 7.68TB NVMe RI SFF SCN U.2 V2 MV SSDP65200-001P66092-004VO007680KYDZPP64847-B21HPE 7.68T NVMeRI SFF SC U.3ST V2 MV SSDP65196-001P66092-004VO007680KYDZPP64848-B21HPE 7.68T NVMeRI SFF BC U.3ST V2 MV SSDP65197-001P66092-004MO006400KXPABP71146-B21HPE 6.4TB NVMe MU SFF BC Spl SSDP71643-001P54270-004MO006400KXPABP75347-B21HPE 6.4T NVMe MU BC U.3ST V2 MV SPL SSDP75385-001P54270-004MO003200KXPAAP71301-B21HPE 3.2TB NVMe MU SFF BC Spl SSDP71644-001P54270-003MO006400KYDZUP75347-B21HPE 6.4T NVMe MU BC U.3ST V2 MV SPL SSDP75385-001P66093-004VO001536KYDZQP77079-B21HPE 15.36TNVMeRI BC U.3ST SPDM MV splSSDP77083-001P66092-005Note: The following models of HPE Gen11 server and storage platforms support SPDM on the SSD models listed above:HPE Alletra Storage Server 4120HPE ProLiant DL20 Gen11 ServerHPE ProLiant DL320 Gen11 ServerHPE ProLiant DL325 Gen11 ServerHPE ProLiant DL345 Gen11 192T 8LFF Server for CohesityHPE ProLiant DL345 Gen11 ServerHPE ProLiant DL360 Gen11 ServerHPE ProLiant DL365 Gen11 ServerHPE ProLiant DL380 Gen11 ServerHPE ProLiant DL380 Gen11 AF Node for MS Azure HCIHPE ProLiant DL380A Gen11 8SW CTO ServerHPE ProLiant DL385 Gen11 ServerHPE ProLiant DL560 Gen11HPE ProLiant ML350 Gen11 ServerHPE Synergy 480 Gen11 Compute Module
Drive replacement is not necessary to prevent this issue. HPE is providing a tool that enables an SPDM certificate with a non-expiring expiration date to be injected into the SSD devices, that will prevent the issue detailed above.IMPORTANT: This tool can only be used with direct-attached drives. If the drive is used through the controllers, the firmware update process will not be successful, due to controller limitations.HPE Certificate Update Tool - Windows systemsThe tool is available at:HPE Certificate Update Tool for WindowsOverview: This tool will update the device certificate chain on all drives discovered on the system that are of:Micron 7450 product family with firmware versions HPS0, HPS1, HPS2, HPS3, HPS4Micron 7500 product family with firmware versions HPK0, HPK1, HPK2, HPK3Once the update is complete, the firmware version will be updated to:Micron 7450: HPS5Micron 7500: HPK5Drives will have the certificate chain with the expiration dates of:Root Certificate: 2042ICA1: 9999Device: 9999Supported Windows Operating Systems:Windows 2016Windows 2019Windows 2022Windows 2025Install/Acquisition Prerequisites:Admin privilegesInstallation:Copy the application to a specific folder/directory:Use file explorer to navigate to the directory where you want to copy the application and place the application there.Execution:1. Open a Command Prompt. Press Win+R, type cmd, and press Enter to open the command prompt.(need to open with admin privileges).2. Navigate to the application directory. Use the cd command to navigate to the directory where the application is located.cdC:\path\to\your\application3. Run the application with admin privileges. If the command prompt is already open with admin privileges,HPECertificateUpdate.exeORrunas/user:Administrator HPECertificateUpdate.exeSample output:Logs:The application generates two different logs that need to be collected and shared if the certificate update fails for any device:hpe_tool.loglocation: the current directory the application is executed from.mseapiLogFile.txtlocation: C:\Windows\TempHPE Certificate Update Tool - Linux systemsThe tool is available at:HPE Certificate Update Tool for LinuxOverview: This tool will update the device certificate chain on all drives discovered on the system that are of:Micron 7450 product family with firmware versions HPS0, HPS1, HPS2, HPS3, HPS4Micron 7500 product family with firmware versions HPK0, HPK1, HPK2, HPK3Once the update is complete, the firmware version will be updated to:Micron 7450: HPS5Micron 7500: HPK5Drives will have the certificate chain with the expiration dates of:Root Certificate: 2042ICA1: 9999Device: 9999Supported Linux Operating Systems:Red Hat 8.0, 8.2, 8.6, 8.10, 9.0, 9.4Ubuntu 22.04, 24.04SUSE 15 SP0, 15 SP2, 15 SP4, 15 SP5, 15 SP6Install/Acquisition Prerequisites:Admin privilegesInstallation:Copy the application to a specific folder/directory:Use file explorer to navigate to the directory.Execution:1. Open the terminal on your system2. Navigate to the application directory - use the cd command to navigate to the directory where the application is loaded. For example:$ cd /path/to/your/application3. Add executable permissions. To add executable permissions to the application, use the "chmod" command:$ chmod +x HPECertificateUpdate4. Run the application with admin privileges. To run the application with admin privileges, use the "sudo" command:# sudo ./HPECertificateUpdateApplication LogsThe application generates two different logs that need to be collected and shared if the certificate update fails for any device:hpe_tool.logLocation: The current directory where the application is executed frommseapiLogFile.txtLocation: "/var/log/StorageExecutive"HPE Certificate Update Tool- VMware Systems:The tool is available at:HPE Certificate Update Tool- VMware SystemsOverviewThis tool will update the device certificate chain on all drives discovered on the system that are of the Micron 7450 & 7500 product familyOnce the update is complete, the firmware version will be updated to:Micron 7500: HPK5Micron 7450: HPS5Drives will have the certificate chain with expiration dates of:Root certificate: 2042ICA1: 9999Device: 9999Supported ESXi Operating Systems: ESXi 7.0 U 2, 7.0 U 3, 8.0 U 1, 8.0 U 3Install/Execution Prerequisites: root privilegesInstallation:Copy the application to a specific vmfs/datastare directory(Preferable)1.Enable maintenance mode before installing the component:$ esxcli system maintenanceMode set -e=trueOptional: Get/Check maintenance-mode status using the below command:$ esxcli system maintenanceMode getNote:Before a host can enter maintenance mode, any running virtual machines must be migrated to other available hosts within the cluster or suspend them.2. Once the host is in maintenance mode, install the component; run the command:$ esxcli software component apply -d <absolute-path>3.Restart the hostd (host daemon) once the component installation is complete:$/etc/init.d/hostdrestartExecution:1. Open Terminal: Open the terminal on your system.2. Run the application.3.Note:Step 3 (Restart the hostd (host daemon)) is optional if you execute the tool inlocalcli.Run the below command on ESXi host terminal to start the certificate update process:$ localcli hpecerttool update -sOR, if the Step 3 is followed,$ esxclihpecerttool update -sOnce the Cert update is complete, results will be printed on the terminal as well as dumped into file /opt/micronhpecerttool/tmp/hpecert_update_result.txtUninstallation1. Run the below command to uninstall the component:$ esxcli software component remove -n mic-hpecerttoolEsxcliPlugin2. Once Uninstallation is done, disable maintenance mode using the below command:$ esxcli system maintenanceMode set -e=falseApplication Logs:The application generates a log that needs to be collected and shared if the certificate update fails for any device:Location: "/scratch/log/msecli.log"Note: Component version mic-hpecerttoolEsxcliPlugin_1.0-0.0.0003.zip. The Tool prints the version as v1.0 on the console.Document VersionRelease DateDetails2September 19, 2025Updated to include the HPE Certificate Tool for VMware download and instructions.1June 3, 2025Original document release
Operating Systems Affected:Not Applicable
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.