Highlighted

Unable to get CSR generated with 2048-bit key on iDRAC7

I am unable to get a CSR generated with a 2048-bit key.  Every time I tell it to generate a CSR it is generated with a 1024-bit key.

This is on a PowerEdge R620.  I have been able to generate CSRs with 2048-bit keys on three other servers with an iDRAC7 (they were R720s.)

I have already configured the cfgRacSecCsrKeySize setting, setting it to 2048.

I have also verified this setting using: racadm getconfig -g cfgRacSecurity -o cfgRacSecCsrKeySize, which reports 2048.

 

Another odd thing is I have read that the values that are allowed for this setting are 1024, 2048, and 4096.  Just to test things out, I ran: racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 4096
I got the following: ERROR: The specified object value is not valid.

I have tried changing the cfgRacSecCsrKeySize setting back and forth from 1024 to 2048, I have reset the DRAC (racreset), and even reset to factory settings (racresetcfg), which did not help.

Tthe latest version of OMSA/DRAC Tools is installed (OMSA 7.0.0)

 

Has anyone else had this happen, or have any other tips on how to get it working?

0 Kudos
Reply
24 Replies
Highlighted
3 Cadmium

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Hi gnelson,

Thanks much for the detailed writeup of your issue.  Dell engineering is looking at this right now.

We're investigating why 2048 bit keys work on the R720 but not the R620 but need to know a little bit more about your environment. Just curious, do you get the 4096 bit error on the R720 and the R620?

Also, are you using pre-production servers?  I'm not sure if UT got some early units for testing but that might have something to do with your issue.

Thanks,

Peter

0 Kudos
Reply
Highlighted

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Peter,

Both of our 620s were not able to generate a 2048-bit key (I just got a second 620 today.)  All three of our 720s were able to, so it is just the 620s we are having the problem with.

I do not think these are pre-production servers; one was purchased in May and the other was purchased late May / early June.

0 Kudos
Reply
Highlighted
3 Cadmium

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Hi gnelson,

OK, thanks - seems like we are using the same hardware.  

I just got word from engineering that we are able to consistently generate 2048-bit keys on the R620s we have in our lab, so perhaps we have a mismatch on documentation or software?

Regarding the 4096 bit key, that is not an option on the 12th Generation servers per the RACADM users guide @

support.dell.com/.../cli.pdf  

You might have seen some older documentation that mentioned a 4096 bit key. Please use the newest docs for support info and command lines to create a CSR.

I got a few tips to help you troubleshoot your issue:

1. A simple way to know if the file generated is using 1024 or 2048 or higher key size is by looking at the first few characters of the CSR File. For Example, if the CSR file begins with MIIB, its 512-bit, if its MIID its 1024 and so on.

MIIC    ---   512-bits

MIID    ---   1024-bits

MIIE     ---   2048-bits

2. I'm pretty sure you are up to date to 7.0.0 based on your previous post, but just in case the download links are here:

Local:

www.dell.com/.../DriverFileFormats

Remote:

www.dell.com/.../DriverFileFormats

3. Not sure if you've seen our latest update to the RACADM page, it's mostly general info not entirely related to your issue, but it might be helpful

en.community.dell.com/.../3205.racadm-command-line-interface-for-drac.aspx

0 Kudos
Reply
Highlighted
2 Bronze

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Hello gnelson - we appreciate your help and we'll continue to do what we can to help figure this out.  Are you running remote Racadm on both?  Guessing you are, just need to confirm.  Engineers are a tad puzzled on this one since they don't have issues on either the 720 or 620.   We may need to share both sets of scripts/commands, and it's possible there is a config settign somewhere that's tripping this up.  

Doug

0 Kudos
Reply
Highlighted

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

I had originally (last week when I first reproted this)  tried to generate CSRs using the DRAC's web interface, and then local racadm when that did not work.

From Peter's info, I see that they were actually usingy 512-bit keys (The CSRs start with "MIIC".)  I didnt even know 512 was an option...

The DRAC firmare was up-to-date, and I had even tried a re-install of the firmware.

DRAC Hardware Version: 0.01

Firmware Version: 1.06.06 (Build 15)

This morning I tried remote racadm (I do have the latest version for the iDRAC7), and I got a 1024-bit key (The CSR starts with "MIID".)  After generating this CSR I ran getconfig -g cfgRacSecurity -o cfgRacSecCsrKeySize, which still reported 2048.

So now, to summarise:

1. Generating a CSR using local racadmin (latest version of OMSA installed) or the DRAC's web interface (latest version of firmware) uses a 512-bit key

2. Generating a CSR using remote racadm (latest racadm for the iDRAC7) uses a 1024 bit key

3. All theree methods report cfgRacSecCsrKeySize = 2048

0 Kudos
Reply
Highlighted
3 Cadmium

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Good to know that the first 4 characters tip helped you out a bit.

So it seems that you are getting a mismatch on what's being reported and what size key the CSR is actually using? Can you give me any more details that I can pass back to engineering so they can figure out what's going on?

0 Kudos
Reply
Highlighted

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

I'm not sure what other info I can provide that would be helpful.  The DRAC config is available here if this helps (I haven't noticed anything wrong in the config...)

https://webspace.utexas.edu/gn694/public/DRACconfig.txt

 

 

0 Kudos
Reply
Highlighted
3 Cadmium

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

Thanks gnelson.

Engineering is looking at your config file.

Quick question, are you also using the same config file on the R720?  We'd like to see if there are any differences between the R620 (not working) and R720 (working fine).  Also, if it's possible to share the keys that were output we could more fully debug this phenomenon.

0 Kudos
Reply
Highlighted

Re: Unable to get CSR generated with 2048-bit key on iDRAC7

The config file I presented was from a getconfig command, it is not a config file that I am using to apply a config to the DRAC

Here is one of the CSRs that was generated... webspace.utexas.edu/.../SampleR620CSR.txt

Let me know if you want anything else (if you do, Ill probably need insructions on where to get it, I dont know where to get the private key that is generated, etc.)

Thankx for your help with this.

0 Kudos
Reply