While the iDRAC provides a download CSR option to speed up generating a key/CSR, it does not include a SAN (Subject Alternative Name), which means modern browsers will throw an Invalid certificate error when accessing the web UI.
The solution is to create a keypair and signed certificate with subject alternate name outside iDRAC and upload private key and signed certificate to iDRAC. If you aren’t aware of IDRAC CSR GENERATION, please follow the instructions given in our guide.
Guide:
This guide will carry you through the following:
- Generating CSR Using Web Interface
- Generating CSR Using RACADM
- iDRAC SSL INSTALLATION
- Installing iDRAC Certificate on Linux Systems
- How to create SHA2 SSL certificate signing request
- How to install SHA2 SSL certificate in Dell iDRAC
1.Generating CSR Using Web Interface
NOTE: A New CSR overwrites the previous CSR information stored in the firmware, and it must match the information in the SSL server certificate. Otherwise, iDRAC does not accept the certificate.
To generate CSR using the web interface, follow the instructions give below:
- In the iDRAC Web interface, go to Overview > iDRAC Settings > Network > SSL, select Generate Certificate Signing Request (CSR) and click Next. The Generate a New Certificate Signing Request page will be displayed.
- Enter a value for each CSR attribute.
- Click Generate. A new CSR will get generated. Save this to the management station.
2.Generating CSR Using RACADM
To generate a CSR using RACADM, use the set command with the objects in the iDRAC. By running any of the following commands, ensure the name of the DNS RAC is the same as the common name specified in the security group of iDRAC.
On the DRAC6 server, config commands will support.
On the iDRAC7 server, set commands will recommend though config commands are supported.
- The set command
racadm set iDRAC.NIC.DNSRacName iDRAC-SSL-Certificate - The config command
racadm config –g cfgLanNetworking –o cfgDNSRacName iDRAC-SSL-Certificate
To configure a DNS domain name, under iDRAC registration, click Enable.
- The set command:
racadm set idrac.NIC.DNSDomainName xyz.com
racadm set idrac.NIC.DNSRegister Enabled - The config command:
racadm config –g cfgLanNetworking –o cfgDNSDomainName xyz.com
racadm config –g cfgLanNetworking –o cfgDNSRegisterRac 1
To configure the iDRAC security group-related parameters for CSR generation, run one of the following commands:
- The set subcommand:
racadm set iDRAC.Security.CsrKeySize 1024/2048
racadm set iDRAC.Security.CsrCommonName iDRAC-SSL-Certificate
racadm set iDRAC.Security.CsrOrganizationName XYZ
racadm set iDRAC.Security.CsrOrganizationUnit Unit1
racadm set iDRAC.Security.CsrLocalityName LocName
racadm set iDRAC.Security.CsrStateName StateName
racadm set iDRAC.Security.CsrCountryCode US
racadm set iDRAC.Security.CsrEmailAddr abc@xyz.com - The config subcommand:
racadm config –g cfgRacSecurity –o cfgRacSecCsrKeySize 1024/2048
racadm config –g cfgRacSecurity –o cfgRacSecCsrCommonName iDRAC-SSLCertificate
racadm config –g cfgRacSecurity –o cfgRacSecCsrOrganizationName XYZ
racadm config –g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit Unit1
racadm config –g cfgRacSecurity –o cfgRacSecCsrLocalityName LocName
racadm config –g cfgRacSecurity –o cfgRacSecCsrStateName StateName
racadm config –g cfgRacSecurity –o cfgRacSecCsrCountryCode US
racadm config –g cfgRacSecurity –o cfgRacSecCsrEmailAddr abc@xyz.com
When all the required parameters are configured successfully, CSR is generated using the sslcsrgen subcommand. This subcommand uses the parameters specified under the iDRAC Security group for generating a CSR. The command syntax is given here.
racadm sslcsrgen –g –f idraccsr.txt
3.IDRAC SSL INSTALLATION
- If you already have a certificate that is generated by a certificate authority, you can follow the given instructions and configure it on your iDRAC.
- To follow the steps, we need to have racadm command line utility. If you do not have it, use your server service tag, then downloads – you will find it in the OpenManage utilities or type “racadm” in the download search field.
- Use the following commands:
- Upload the private key :
racadm -r < ip_address > -u root -p < password > sslkeyupload -f (path/to/certificate_private.key) - Upload the certificate :
racadm -r < ip_address > -u root -p < password > sslcertupload -t 1 -f (path/to/domain_certificate.crt) - Restart the iDRAC controller
racadm -r < ip_address > -u root -p < password > racreset
- Upload the private key :
NOTE:
If you notice any security alert stating the certificate is invalid/Certificate is not signed by Trusted Third Party, then use -S option for racadm and stop execution on certificate-related errors.
4.Installing iDRAC Certificate on Linux Systems
- Convert the certificate in DER format to PEM format (using openssl command line tool):
openssl x509 -inform pem -in [yourdownloadedderformatcert.crt] –outform pem – out [outcertfileinpemformat.pem] –text - Find the location of the default CA certificate bundle on the management station
For example, for RHEL5 64-bit, it is /etc/pki/tls/cert.pem - Append the PEM formatted CA certificate to the management station CA certificate.
For example, run the cat command:– cat testcacert.pem >> cert.pem - To point to a DNS server of the domain of CA root, configure the DNS settings for name resolutions in the networking.
- To run Remote RACADM command, at the command line interface, use the iDRAC FQDN as a remote endpoint while running any remote RACADM command.
racadm –r iDRAC-SSL-Certificate.xyz.com –u admin –p passwd getsysinfo
How to use SHA2 SSL certificate signing request and certificates with Dell iDRAC:
To utilize SHA2 based SSL objects with the iDRAC on the Dell PowerEdge servers like R620 and R720, you must generate a certificate signing request and a private key on the distinct host. These resulting certificates and keys must upload to iDRAC later.
5. How to create SHA2 SSL certificate signing request
The following are required:
-
- A Windows-based host with Dell’s RACADM software installed (for uploading the private key and certificate to the iDRAC)
- Please check Dell’s web site to download the latest version of the RACADM utility.
- The iDRAC must be running at least firmware version 2.21.21.21. Please contact Dell to obtain this version of the iDRAC firmware. The firmware can be upgraded remotely with the following RACADM command:
C:\Program Files\Dell\SysMgt\rac5>racadm.exe -r -u root -p fwupdate -d <c:\path\to\firmimg.d7></c:\path\to\firmimg.d7> - A host with the OpenSSL suite installed, for the below instructions.
- Generate 2048-bit, sha256 private key & csr
openssl req -newkey rsa:2048 -sha256 -keyout fqdn.key -out fqdn.csr - Remove passphrase from private key (private keys with pass phrases are not supported by iDRAC)
openssl rsa -in fqdn.key -out fqdn.key - Optionally, view/check key and signing request
openssl rsa -in fqdn.key -check
openssl req -in fqdn.csr -text -noout - Use the certificate signing authority to generate and provide a certificate
iDRAC7 accepts only X509, Base 64 encoded Web server certificates. - Optionally, view/check certificate to make sure it’s sha256/2048bit
openssl x509 -in fqdn.pem -text -noout
Then on Windows with RACADM:
6. How to install SHA2 SSL certificate in Dell iDRAC
- Upload the private key to the iDRAC
racadm.exe -r my-idrac-ip -u root -p calvin sslkeyupload -t 1 -f fqdn.key - Upload the new certificate
racadm.exe -r my-idrac-ip -u root -p calvin sslcertupload -t 1 -f certificate.pem - Reboot the idrac
racadm.exe -r my-idrac-ip -u root -p calvin racreset
- Generate 2048-bit, sha256 private key & csr
Wait 5 minutes for the reset to complete.
We hope this guide helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.