iDRAC Web Server Certificate Management

iDRAC Web Server Certificate Management


This wiki post is written by Shine KA and Hareesh V from Dell iDRAC team


Introduction

iDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. iDRAC Web GUI, Remote Racadm, WSMAN and VMCLI uses SSL certificate for communication.

The encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers.

iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. This document will describe different methods supported by iDRAC for replacing default self-signed certificate of iDRAC.


Uploading SSL/Signing Certificate to iDRAC

There are three different ways where you can upload custom SSL certificate to iDRAC. We can user iDRAC WEB GUI, Racadm or WSMAN interface for uploading SSL certificate to iDRAC.
  • Uploading SSL Certificate to iDRAC using CSR created from iDRAC
  • Uploading SSL Certificate to iDRAC using private / public key
  • Uploading Signing certificate to iDRAC
Note : iDRAC will restart and will not be available for some time after upload.


Uploading SSL Certificate to iDRAC using CSR method

This method will use CSR (Certificate Signing Request) created from iDRAC for uploading SSL certificate to iDRAC. You need to sign the CSR file created from iDRAC and upload it back to iDRAC. iDRAC will support only certificate in Base 64 format. You can use Racadm or Web GUI interface for configuring SSL on iDRAC using this method. Before creating CSR from iDRAC, you can specify following certificate properties in iDRAC. These properties will be used by iDRAC for creating CSR.
CommonName
OrganizationName
OrganizationUnit
LocalityName
StateName
CountryCode
EmailAddr
KeySize
Note: Key size can be configured only through racadm


Using Racadm


You need to follow below four steps if you want to upload SSL certificate to iDRAC using racadm


Step 1: Configure Certificate properties on iDRAC

If you have iDRAC7 with 1.30.30 or above firmware or iDRAC8, you can run following racadm commands also to configure certificate properties.

Configuring the iDRAC security CSR key size

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrKeySize <Key size>

Configuring the iDRAC security CSR common name

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrCommonName <common name>

Configuring the iDRAC security CSR organization name

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrOrganizationName <Organization Name>

Configuring the iDRAC security CSR organization unit

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrOrganizationUnit <Organization Unit>

Configuring the iDRAC security CSR Locality Name

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrLocalityName <Location>

Configuring the iDRAC security CSR State Name

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:
racadm set iDRAC.Security. CsrEmailAddr<Email Address>

server certificate
Figure 1: Configuration 1

Once all the Sub-Attributes of the group "iDRAC.Security" had been configured, you can run below command to verify the setting

server certificate
Figure 2: Configuration 2

If you have iDRAC6 or iDRAC7 with firmware level less than 1.30.30 you can run following Racadm command to configure certificate properties. These commands can be run from Local, Remote or Firmware Racadm.

Configuring the iDRAC security CSR Key Size

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrKeySize <Key size>

Configuring the iDRAC security CSR CommonName

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrCommonName <Common Name>

Configuring the iDRAC security Organization name

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationName <Organisation Name>

Configuring the iDRAC security CSR Organization Unit

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit <Organisation Unit>

Configuring the iDRAC security Locality name

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrLocalityName <Location>

Configuring the iDRAC security State name

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrStateName <State Name>

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrCountryCode <Country Code>

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrEmailAddr <Email Address>

server certificate
Figure 3: Configuration 3

Once all the Sub-Attributes of the group "cfgRacSecurity" had been configured, you can run below command to verify the setting

server certificate
Figure 4: Configuration 4

Step 2: Create and Download CSR from iDRAC

You can run the following command to generate and download CSR from iDRAC. This command is only supported from Local and Remote Racadm

The sslcsrgen command has the following option:
Racadm sslcsrgen –g –f < filename.txt>
  • -g: Generate new Certificate signing request(CSR).
  • -f: Specifies the file which will hold the CSR.
server certificate
Figure 5: Configuration 5

Step 3: Sign the CSR downloaded from iDRAC using any third party certificate authority

Sign the CSR file downloaded from iDRAC using any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

Once you have signed certificate, you can upload signed certificate back to iDRAC using following Racadm command. This command is only supported from Local and Remote Racadm. Once you upload the certificate, iDRAC will reboot and will not be accessible for some time.

server certificate
Figure 6: Configuration 6

Using WEBGUI
Step 1: Configure Certificate properties on iDRAC

To upload certificate using CSR you need to first configure certificate properties on GUI. Login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and select "Generate Certificate Signing Request (CSR)" option for creating CSR. On "Generate Certificate Signing Request (CSR)" page update all fields with certificate information

Step 2: Create and Download CSR from iDRAC

To generate and save CSR from iDRAC click on the "Generate" button and save the file

server certificate
Figure 7: Configuration 7

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

You can traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select "Upload Server Certificate" option to upload the certificate. Browse the signed certificate file and click on Apply to upload signed certificate. iDRAC will reset once certificate is uploaded

server certificate
Figure 8: Configuration 8

Uploading SSL Certificate to iDRAC using Key Pair
In this method you need to create private key and signed certificate with public key from a CA. Once key and certificate is created you can use Racadm, WSMAN or Web GUI interfaces to upload the key and certificate to iDRAC.

Using Racadm
In Racadm first you need to upload private key to iDRAC. This private key should not have a passphrase. Once you upload the private key you can upload the corresponding certificate using Racadm.

Step 1: Uploading private key to iDRAC

You can run "sslkeyupload" racadm command to upload private key to iDRAC. This command is supported from Local and Remote Racadm interface.

server certificate
Figure 9: Uploading

Step 2: Uploading certificate to iDRAC

You can run "sslcertupload" racadm command to upload the certificate to iDRAC. This command is supported from Local and Remote Racadm interface.

server certificate
Figure 10: Uploading2

Using Web GUI
Using Web GUI you cannot upload private key. So you need to first upload the key using racadm as mentioned in above step. Once private key is uploaded you can use iDRAC Web GUI to upload certificate. You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select "Upload Server Certificate" option to upload the certificate. iDRAC will reset once certificate is uploaded

server certificate
Figure 11: Uploading3

Using WSMAN
For uploading certificate using WSMAN you first need to create base64 format PKCS file with certificate and private key. This private key should not have a passphrase. Once private key and certificate is created follow below steps for uploading certificate to iDRAC.

Step 1: Create a base64 format PKCS file with private key and certificate
  • In this step you will create a PKCS file of private key and certificate in base 64 format using. You need to use openssl commands to achieve this.Combined private key and certificate to a single file
Use Linux cat command to combine custom certificate and private key without pass phrase to a single file

server translation
Figure 12: Base 64 format
  • Create PKCS file
Use Linux openssl pkcs command to create pkcs12 file from certificate and private key file. Provide a password when asked.

server translation
Figure 13: Base 64 format
  • Convert PKCS file to Base 64 format
server translation
Figure 14: Base 64 format

"pkcsCertificateb64.p12" is the base64 encoded PKCS file. Content of this file will be used while uploading certificate using WSMAN.

Step 2: Upload base 64 PKCS certificate to iDRAC

Now you need to upload the base 64 format PKCS certificate to iDRAC using WSMAN command. For this we will create one xml file with certificate data then upload the file to iDRAC using WSMAN command
  • Create XML file with certificate details

    In this step you need to create an xml file with certificate details. Refer screenshot below for sample xml file

    server translation
    Figure 15: Base 64 format
Note: Type need to be "server". Between and Copy content of base 64 PKCS certificate file obtained in Step 1c. You need to mentioned PKCS file password in PKCS12pin field
  • Upload certificate to iDRAC using WSMAN

Run below wasman command to upload certificate to iDRAC.

server translation
Figure 16: Base 64 format
Note: "uploadCertificate.xml" is the file with certificate content as shown in previous step 2a

Uploading Signing Certificate to iDRAC


This feature is only supported on iDRAC7 from 1.30.30 firmware onwards. Using this method, you can make sure every iDRAC have a unique signed SSL certificate. This can be achieved without creating and uploading separate unique signed certificate to iDRAC. You need to upload signing certificate from CA to each iDRAC. iDRAC will create a certificate using iDRAC DNS name or host name (if DNS name is not available) or IPv4 address (if DNS name or hostname is not available) as common name. This certificate will be signed by uploaded signing certificate.

Signing certificate need to be in PKCS12 format and PKCS file should have private key as well. PKCS file can be with or without pass phrase.

Using Racadm
You need to use "sslcertupload" racadm command to upload signing certificate to iDRAC. This command is only supported from Local or Remote racadm.

Upload signing certificate without pass phrase

server translation
Figure 17: Upload sign in certificate
Upload signing certificate with pass phrase

server translation
Figure 18: Upload sign in certificate

Using Web GUI
You can upload signing certificate using iDRAC Web GUI also. PKCS#12 password is an option field and is only required if the PKCS file have a password

server translation
Figure 19: Upload sign in certificate


Viewing SSL/Signing certificate on iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can use Racadm and iDRAC GUI interface to check currently uploaded SSL and singing certificate

Viewing SSL certificate on iDRAC
To view SSL certificate on iDRAC you can use racadm or web GUI. You can use this method to view SSL certificate regardless of method used for uploading the certificate.
Using Racadm

You can use racadm sslcertview command to view iDRAC SSL certificate. This command can be executed from Local, Remote or Firmware racadm

server translation
Figure 20: SSL certificate

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view current iDRAC SSL Certificate.

server certificate
Figure 21: SSL certificate


Viewing Signing certificate on iDRAC

Viewing signing certificate on iDRAC is only supported through web GUI.

Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view signing Certificate. Signing certificate information will be shown under "Custom SSL Certificate Signing Certificate" section.

server certificate

Figure 22: SSL certificate


Downloading SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can download these certificate back from iDRAC. You can use Racadm Web GUI and WSMAN interface to download certificates.

Downloading SSL certificate from iDRAC
You can use Racadm and Web GUI to download SSL certificate from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download SSL certificate from iDRAC. This command is only supported from Local and Remote Racadm. server certificate
Figure 23: SSL certificate

Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use "Download SSL Certificate" option to download SSL certificate from iDRAC.

server certificate
Figure 24: SSL certificate


Downloading Signing Certificate from iDRAC

You can use Racadm, Web GUI and WSMAN interface to download "Custom SSL Certificate Signing Certificate" from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download "Custom SSL Certificate Signing Certificate" from iDRAC. This command is only supported from Local and Remote Racadm.

server certificate
Figure 25: SSL certificate

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use "Download Custom SSL Certificate Signing Certificate" option to download "Custom SSL Certificate Signing Certificate" from iDRAC.

server certificate
Figure 26: SSL certificate

Using WSMAN
You can also use WSMAN to download Custom SSL Certificate Signing Certificate from iDRAC. You need to use "DCIM_LCService.ExportCertificate" method to download certificate from iDRAC. This method will download Custom SSL Certificate Signing Certificate to CIFS or NFS share

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to CIFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="/nfs";ShareType="0"}

This command will initiate Custom Certificate download process and return Job ID.

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to NFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="Share";ShareType="2";Username="Share Username";Password="Share Password"}

This command will initiate Custom Certificate download process and return Job ID.

Run below WSMAN command to check job status

server certificate

Figure 27: SSL certificate


Deleting SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can delete this certificate to load iDRAC default certificate.


Deleting Custom SSL certificate from iDRAC

Using Racadm
You can use racadm sslresetcfg command to delete custom SSL certificate and load default self-signed certificate back to iDRAC. This command can be executed from Local, Remote and Firmware racadm.

server certificate
Figure 28: Delete SSL certificate


Deleting Signing Certificate from iDRAC

You can delete "Custom SSL Certificate Signing Certificate" using racadm or Web GUI. Once you delete custom SSL certificate signing certificate, default self-signed certificate will be loaded on iDRAC.

Using Racadm
You can run racadm sslcertdelete command to delete "Custom SSL Certificate Signing Certificate" This command can be executed from Local, Remote and Firmware racadm. After deleting Custom SSL Certificate Signing Certificate iDRAC will reboot to apply the setting.

server certificate
Figure 29: Delete SSL certificate

Using WebGUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use "Delete Custom SSL Certificate Signing Certificate" option to delete "Custom SSL Certificate Signing Certificate" from iDRAC.

server certificate
Figure 31: Delete SSL certificate



Article ID: SLN310599

Last Date Modified: 08/21/2018 10:13 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.