Unable to get CSR generated with 2048-bit key on iDRAC7

Hi gnelson,

Thanks much for the detailed writeup of your issue.  Dell engineering is looking at this right now.

We're investigating why 2048 bit keys work on the R720 but not the R620 but need to know a little bit more about your environment. Just curious, do you get the 4096 bit error on the R720 and the R620?

Also, are you using pre-production servers?  I'm not sure if UT got some early units for testing but that might have something to do with your issue.

Thanks,

Peter

Peter,

Both of our 620s were not able to generate a 2048-bit key (I just got a second 620 today.)  All three of our 720s were able to, so it is just the 620s we are having the problem with.

I do not think these are pre-production servers; one was purchased in May and the other was purchased late May / early June.

Hi gnelson,

OK, thanks - seems like we are using the same hardware.  

I just got word from engineering that we are able to consistently generate 2048-bit keys on the R620s we have in our lab, so perhaps we have a mismatch on documentation or software?

Regarding the 4096 bit key, that is not an option on the 12th Generation servers per the RACADM users guide @

support.dell.com/.../cli.pdf  

You might have seen some older documentation that mentioned a 4096 bit key. Please use the newest docs for support info and command lines to create a CSR.

I got a few tips to help you troubleshoot your issue:

1. A simple way to know if the file generated is using 1024 or 2048 or higher key size is by looking at the first few characters of the CSR File. For Example, if the CSR file begins with MIIB, its 512-bit, if its MIID its 1024 and so on.

MIIC    ---   512-bits

MIID    ---   1024-bits

MIIE     ---   2048-bits

2. I'm pretty sure you are up to date to 7.0.0 based on your previous post, but just in case the download links are here:

Local:

www.dell.com/.../DriverFileFormats

Remote:

www.dell.com/.../DriverFileFormats

3. Not sure if you've seen our latest update to the RACADM page, it's mostly general info not entirely related to your issue, but it might be helpful

en.community.dell.com/.../3205.racadm-command-line-interface-for-drac.aspx

Hello gnelson - we appreciate your help and we'll continue to do what we can to help figure this out.  Are you running remote Racadm on both?  Guessing you are, just need to confirm.  Engineers are a tad puzzled on this one since they don't have issues on either the 720 or 620.   We may need to share both sets of scripts/commands, and it's possible there is a config settign somewhere that's tripping this up.  

Doug

I had originally (last week when I first reproted this)  tried to generate CSRs using the DRAC's web interface, and then local racadm when that did not work.

From Peter's info, I see that they were actually usingy 512-bit keys (The CSRs start with "MIIC".)  I didnt even know 512 was an option...

The DRAC firmare was up-to-date, and I had even tried a re-install of the firmware.

DRAC Hardware Version: 0.01

Firmware Version: 1.06.06 (Build 15)

This morning I tried remote racadm (I do have the latest version for the iDRAC7), and I got a 1024-bit key (The CSR starts with "MIID".)  After generating this CSR I ran getconfig -g cfgRacSecurity -o cfgRacSecCsrKeySize, which still reported 2048.

So now, to summarise:

1. Generating a CSR using local racadmin (latest version of OMSA installed) or the DRAC's web interface (latest version of firmware) uses a 512-bit key

2. Generating a CSR using remote racadm (latest racadm for the iDRAC7) uses a 1024 bit key

3. All theree methods report cfgRacSecCsrKeySize = 2048

I'm not sure what other info I can provide that would be helpful.  The DRAC config is available here if this helps (I haven't noticed anything wrong in the config...)

https://webspace.utexas.edu/gn694/public/DRACconfig.txt

Thanks gnelson.

Engineering is looking at your config file.

Quick question, are you also using the same config file on the R720?  We'd like to see if there are any differences between the R620 (not working) and R720 (working fine).  Also, if it's possible to share the keys that were output we could more fully debug this phenomenon.

The config file I presented was from a getconfig command, it is not a config file that I am using to apply a config to the DRAC

Here is one of the CSRs that was generated... webspace.utexas.edu/.../SampleR620CSR.txt

Let me know if you want anything else (if you do, Ill probably need insructions on where to get it, I dont know where to get the private key that is generated, etc.)

Thankx for your help with this.

Just to confirm that I too am seeing CSRs with only a 1024 bit key on a R320 with firmware version 1.10.10 (Build 20). Is there any progress on getting this issue fixed?

I've updated to a later firmware and I'm still only getting 1024 bit CSR returned. I'm currently running iDRAC firmware version 1.20.20 (Build 24) and openssl it telling me this is a 1024 bit CSR.

Could this be an Express/Enterprise limitation as it's only an iDRAC Express

Hi guys, sorry I've been away for a while. I'm still bugging Dell engineering (I work for Dell) to develop a fix.  They are well aware of the issue.

As a workaround is it possible to generate the CSR externally (using OpenSSL) and then upload the key and certificate together?

After generating the CSR with sslcsrgen how can I download the CSR file? I am connecting to my iDRAC Express with SSH.

Hi gnelson,

    This is Anshul Simlote working for DELL .

Please try  generating the CSR Certificate using the command line interface.

Generating  the CSR using the WEB GUI Interface may result in a 1024 bit CSR.

You can use Command Line Interface (CLI) using RACADM /Remote RACADM .

Commands to generates CSR Certificate of key size 1024 or 2048 through RACADM are :

-racadm  getconfig -g cfgracsecurity

-racadm config -g cfgracsecurity –o cfgRacSecCsrKeySize 1024 or 2048

-racadm config -g cfgracsecurity –o cfgRacSecCsrCommonName CN

Specifies the CSR Common Name (CN) that must be an IP or CMC name as given in the certificate.

-racadm config -g cfgracsecurity –o  cfgRacSecCsrOrganizationName O

Specifies the CSR Organization Name (O).

-racadm config -g cfgracsecurity –o  cfgRacSecCsrOrganizationUnit  OU

Specifies the CSR Organization Unit (OU)

-racadm config -g cfgracsecurity –o  cfgRacSecCsrLocalityName L

Specifies the CSR Locality (L).

-racadm config -g cfgracsecurity –o cfgRacSecCsrStateName S

Specifies the CSR State Name (S).

-racadm config -g cfgracsecurity –o cfgRacSecCsrCountryCode CC

Specifies the CSR Country Code (CC).

-racadm config -g cfgracsecurity –o  cfgRacSecCsrEmailAddr Email

Specifies the CSR email address.

-racadm sslcsrgen [-g] [-f ]

Above commands works fine with R620 in our lab.

You can refer the RACADM Command Line Reference Guide for iDRAC7 available at

<ADMIN NOTE: Broken link has been removed from this post by Dell>

page number 210.

Hope it helps .

With Best Regards:

Anshul Simlote