Uploading a private CA (root/intermediate) certificate to iDRAC?

Question

Hi all,

We have already uploaded signed certificate from private CA.
We are having our iDRAC scanned for security vulnerabilities by Qualys.
Our iDRAC is on a network segregated from the production network by ACLs.

We granted Qualys access to scan iDRAC in order to keep compliant with PCI-DSS and FIPS requirements.
Qualys is reporting the certificate is not trusted.

Our browsers trust our private CA, but PCI requirements won't allow Qualys to trust our private CA.
Our only solution is to upload our CA bundle to the iDRAC.

As per TLS spec, server certificates can include the CA bundle in the same file in the following format:
server certificate, then intermediate CA, then root CA.

So there would be 3 BEGIN CERTIFICATE lines and 3 END CERTIFICATE lines.

I did successfully integrate the 3 certificates into one file in the above format. But the iDRAC indicates that the certificate is invalid and to check it in OpenSSL. I was able to verify the certificate in OpenSSL without issues.

Please advise how we can upload all 3 certificates.

DELL-Shine K · Accepted Answer

In iDRAC, Once you upload a certificate you can not upload the same certificate again. You are seeing the error message because of this. Can you try below steps Create a CSR from iDRAC Get it signed using your private CA Combined signed certificate, intermediate CA and root CA certificate using below command openssl crl2pkcs7 -nocrl -certfile server.pem -certfile int.pem -certfile root.pem -out server_chain.p7b Convert to Base64 format using below command openssl pkcs7 -print_certs -in server_chain.p7b -out server_chain.pem Try to upload base 64 format certificate to iDRAC

Speeddymon · Answer

https://certsimple.com/help/combining-intermediate-and-certificateThis was the instructions I followed to combine the certificates.

DELL-Shine K · Answer

To upload certificate chain to iDRAC you need to follow below steps. Combining 2 certificate to one file will not work for iDRAC

Combined certificates to PKCS #7 (.p7b) file using below openssl command.
- openssl crl2pkcs7 -nocrl -certfile iDRACcertificate.cer -certfile intermediateCA.cer -certfile rootCA.cer -out certificateChain.p7b
Convert PKCS #7 (.p7b) file to Base64 (PEM) format using below openssl command. This is required as iDRAC only support uploading base64 format certificate
- openssl pkcs7 -print_certs -in certificateChain.p7b -out certificateChain.cer

Now you can upload "certificateChain.cer" to iDRAC

Speeddymon · Answer

Hi, unfortunately these steps also fail with the same error.

I downloaded the SSL certificate from iDRAC and then combined it with our intermediate and root certificates using the commands you provided

openssl crl2pkcs7 -nocrl -certfile server.pem -certfile int.pem -certfile root.pem -out server_chain.p7b
openssl pkcs7 -print_certs -in server_chain.p7b -out server_chain.pem

I then verified the certificate with

openssl x509 -noout -text -in server_chain.pem

Then I tried to upload and got this error.

RAC0622: An invalid certificate file is uploaded. Make sure the CA certificate and private key are correct and retry the operation. The certificate can be validated using the OpenSSL tools.

I also tried to rename the pem file to "chain.cer" and upload, but still no success.

Speeddymon · Answer

Hi Shine. Thanks for that detail about not uploading a new cert until a new CSR is generated.
I was able to upload the new combined cert once I did that and got it signed.

However, I will point out that it is advised NOT to combine the *Root* CA into the certificate. Only *intermediate* certificates are required, and we got a warning from our cert checker tool about it once we uploaded. So I am generating a new CSR now and will combine only the intermediate cert with the server cert going forward.

Thanks again for your great help!

miesi · Answer

Hi Shine, this works great for iDRAC9 FW 4.10+ I have had no luck with iDRAC8 FW 2.75. Can you please take a look if it is possible to upload intermediate + host certificate to iDRAC7/8? Thanks Thomas

DELL-Shine K · Answer

I am able to upload a chain certificate to iDRAC 7/8 with same steps. Can you let me know where exactly you seeing the failure. Is upload of chain certificate to iDRAC failing? If yes let me know if you see any specific error message.

miesi · Answer

Hi Shine,

I repeated the whole process from csrgen to sslcertupload. It works flawlwessly on iDRAC 7 and 8.

I probably hit a corner case when I first tried to upload the same certificate as was already installed with the intermediate attached.

Thanks for looking into.

Cheers Thomas

matsura · Answer

Link no longer works. This thread joins the hundreds of other threads at the top of google search results that just offer links that no longer work.

Mvipe · Answer

Create a CSR from iDRAC, The CSR Should auto download from your iDRAC after its created. Get it signed using your private key and your bundled certificate (these should already exist from your SSL/webhost provider): openssl x509 -req -in idrac.csr -days 365 -CA bundled.crt -CAkey private-ssl.key -CAcreateserial -out idrac-csr.signed Combine the signed certificate, intermediate CA and root CA certificate using the command, you will need to separate your BUNDLED CRT into the intermediate and root crt: You can use the link here to figure out how to separate your bundle if you do not know how: https://www.dell.com/support/kbdoc/en-us/000158453/how-to-manually-separate-the-server-intermediate-and-root-certificates-from-a-single-signed-certificate#:~:text=To%20separate%20each%20one%20into,the%20original%20signed%20certificate%20file openssl crl2pkcs7 -nocrl -certfile idrac-csr.signed -certfile intermediate.crt -certfile root.crt -out server_chain.p7b Next, convert the server_chain.p7b to base 64 using the command: openssl pkcs7 -print_certs -in server_chain.p7b -out server_chain.pem Next, upload the server_chain.pem to the iDRAC, it will prompt you to restart the iDRAC, you will be stuck using the old certificate until the iDRAC resets. This will not reboot your machine, it will only restart your iDRAC. During this time, your iDRAC will not be accessible. Profit. Credit goes to Shine for the main explanation which when I did it the first time was not enough so I added this to complete the process.

Systems Management General

Uploading a private CA (root/intermediate) certificate to iDRAC?

Was this post helpful?