Guide to generate CSR and install an SSL certificate on Dell iDRAC

While the iDRAC provides a download CSR option to speed up generating a key/CSR, it does not include a SAN (Subject Alternative Name), which means modern browsers will throw an Invalid certificate error when accessing the web UI.

The solution is to create a keypair and signed certificate with subject alternate name outside iDRAC and upload private key and signed certificate to iDRAC. If you aren’t aware of IDRAC CSR GENERATION, please follow the instructions given in our guide.

Guide:

This guide will carry you through the following:

  • Generating CSR Using Web Interface
  • Generating CSR Using RACADM
  • iDRAC SSL INSTALLATION
  • Installing iDRAC Certificate on Linux Systems
  • How to create SHA2 SSL certificate signing request
  • How to install SHA2 SSL certificate in Dell iDRAC

1.Generating CSR Using Web Interface

NOTE: A New CSR overwrites the previous CSR information stored in the firmware, and it must match the information in the SSL server certificate. Otherwise, iDRAC does not accept the certificate.

To generate CSR using the web interface, follow the instructions give below:

  1. In the iDRAC Web interface, go to Overview > iDRAC Settings > Network > SSL, select Generate Certificate Signing Request (CSR) and click Next. The Generate a New Certificate Signing Request page will be displayed.
  2. Enter a value for each CSR attribute.
  3. Click Generate. A new CSR will get generated. Save this to the management station.

2.Generating CSR Using RACADM

To generate a CSR using RACADM, use the set command with the objects in the iDRAC. By running any of the following commands, ensure the name of the DNS RAC is the same as the common name specified in the security group of iDRAC.

On the DRAC6 server, config commands will support.
On the iDRAC7 server, set commands will recommend though config commands are supported.

  1. The set command
    racadm set iDRAC.NIC.DNSRacName iDRAC-SSL-Certificate
  2. The config command
    racadm config –g cfgLanNetworking –o cfgDNSRacName iDRAC-SSL-Certificate

To configure a DNS domain name, under iDRAC registration, click Enable.

  • The set command:
    racadm set idrac.NIC.DNSDomainName xyz.com
    racadm set idrac.NIC.DNSRegister Enabled
  • The config command:
    racadm config –g cfgLanNetworking –o cfgDNSDomainName xyz.com
    racadm config –g cfgLanNetworking –o cfgDNSRegisterRac 1

To configure the iDRAC security group-related parameters for CSR generation, run one of the following commands:

  • The set subcommand:
    racadm set iDRAC.Security.CsrKeySize 1024/2048
    racadm set iDRAC.Security.CsrCommonName iDRAC-SSL-Certificate
    racadm set iDRAC.Security.CsrOrganizationName XYZ
    racadm set iDRAC.Security.CsrOrganizationUnit Unit1
    racadm set iDRAC.Security.CsrLocalityName LocName
    racadm set iDRAC.Security.CsrStateName StateName
    racadm set iDRAC.Security.CsrCountryCode US
    racadm set iDRAC.Security.CsrEmailAddr abc@xyz.com
  • The config subcommand:
    racadm config –g cfgRacSecurity –o cfgRacSecCsrKeySize 1024/2048
    racadm config –g cfgRacSecurity –o cfgRacSecCsrCommonName iDRAC-SSLCertificate
    racadm config –g cfgRacSecurity –o cfgRacSecCsrOrganizationName XYZ
    racadm config –g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit Unit1
    racadm config –g cfgRacSecurity –o cfgRacSecCsrLocalityName LocName
    racadm config –g cfgRacSecurity –o cfgRacSecCsrStateName StateName
    racadm config –g cfgRacSecurity –o cfgRacSecCsrCountryCode US
    racadm config –g cfgRacSecurity –o cfgRacSecCsrEmailAddr abc@xyz.com

When all the required parameters are configured successfully, CSR is generated using the sslcsrgen subcommand. This subcommand uses the parameters specified under the iDRAC Security group for generating a CSR. The command syntax is given here.

racadm sslcsrgen –g –f idraccsr.txt

3.IDRAC SSL INSTALLATION

  • If you already have a certificate that is generated by a certificate authority, you can follow the given instructions and configure it on your iDRAC.
  • To follow the steps, we need to have racadm command line utility. If you do not have it, use your server service tag, then downloads – you will find it in the OpenManage utilities or type “racadm” in the download search field.
  • Use the following commands:
    1. Upload the private key :
      racadm -r < ip_address > -u root -p < password > sslkeyupload -f (path/to/certificate_private.key)
    2. Upload the certificate :
      racadm -r < ip_address > -u root -p < password > sslcertupload -t 1 -f (path/to/domain_certificate.crt)
    3. Restart the iDRAC controller
      racadm -r < ip_address > -u root -p < password > racreset

NOTE:
If you notice any security alert stating the certificate is invalid/Certificate is not signed by Trusted Third Party, then use -S option for racadm and stop execution on certificate-related errors.

4.Installing iDRAC Certificate on Linux Systems

  1. Convert the certificate in DER format to PEM format (using openssl command line tool):
    openssl x509 -inform pem -in [yourdownloadedderformatcert.crt] –outform pem – out [outcertfileinpemformat.pem] –text
  2. Find the location of the default CA certificate bundle on the management station
    For example, for RHEL5 64-bit, it is /etc/pki/tls/cert.pem
  3. Append the PEM formatted CA certificate to the management station CA certificate.
    For example, run the cat command:– cat testcacert.pem >> cert.pem
  4. To point to a DNS server of the domain of CA root, configure the DNS settings for name resolutions in the networking.
  5. To run Remote RACADM command, at the command line interface, use the iDRAC FQDN as a remote endpoint while running any remote RACADM command.
    racadm –r iDRAC-SSL-Certificate.xyz.com –u admin –p passwd getsysinfo

How to use SHA2 SSL certificate signing request and certificates with Dell iDRAC:

To utilize SHA2 based SSL objects with the iDRAC on the Dell PowerEdge servers like R620 and R720, you must generate a certificate signing request and a private key on the distinct host. These resulting certificates and keys must upload to iDRAC later.

5. How to create SHA2 SSL certificate signing request

The following are required:

    1. A Windows-based host with Dell’s RACADM software installed (for uploading the private key and certificate to the iDRAC)
    2. Please check Dell’s web site to download the latest version of the RACADM utility.
    3. The iDRAC must be running at least firmware version 2.21.21.21. Please contact Dell to obtain this version of the iDRAC firmware. The firmware can be upgraded remotely with the following RACADM command:
      C:\Program Files\Dell\SysMgt\rac5>racadm.exe -r -u root -p fwupdate -d <c:\path\to\firmimg.d7></c:\path\to\firmimg.d7>
    4. A host with the OpenSSL suite installed, for the below instructions.
      1. Generate 2048-bit, sha256 private key & csr
        openssl req -newkey rsa:2048 -sha256 -keyout fqdn.key -out fqdn.csr
      2. Remove passphrase from private key (private keys with pass phrases are not supported by iDRAC)
        openssl rsa -in fqdn.key -out fqdn.key
      3. Optionally, view/check key and signing request
        openssl rsa -in fqdn.key -check
        openssl req -in fqdn.csr -text -noout
      4. Use the certificate signing authority to generate and provide a certificate
        iDRAC7 accepts only X509, Base 64 encoded Web server certificates.
      5. Optionally, view/check certificate to make sure it’s sha256/2048bit
        openssl x509 -in fqdn.pem -text -noout

      Then on Windows with RACADM:

      6. How to install SHA2 SSL certificate in Dell iDRAC

      1. Upload the private key to the iDRAC
        racadm.exe -r my-idrac-ip -u root -p calvin sslkeyupload -t 1 -f fqdn.key
      2. Upload the new certificate
        racadm.exe -r my-idrac-ip -u root -p calvin sslcertupload -t 1 -f certificate.pem
      3. Reboot the idrac
        racadm.exe -r my-idrac-ip -u root -p calvin racreset

Wait 5 minutes for the reset to complete.

We hope this guide helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.

 

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »