Ga naar hoofdinhoud
  • Snel en eenvoudig bestellen
  • Bestellingen en de verzendstatus bekijken
  • Een lijst met producten maken en openen
  • Beheer uw Dell EMC locaties, producten en contactpersonen op productniveau met Company Administration.

Dell PowerEdge : How to import an externally created custom certificate and private key into the iDRAC

Samenvatting: This article explains how to create and import an iDRAC certificate.

Dit artikel is mogelijk automatisch vertaald. Als u feedback hebt over de kwaliteit, laat het ons dan weten via het formulier onderaan deze pagina.

Article content


Instructies

Background

Beginning in the iDRAC6, it have been possible to create a certificate leveraging the PKI and import certificates into the iDRACs.  It allows to have more control over certificate creation process and allows to automate these processes.  Lastly, this process can be leveraged to create and import a wildcard certificate into the iDRAC.  From a security stand point, the use of wildcard is not a best practices; however, the process used to create any external certificate can also be leveraged for a wildcard certificate.

 

Table of content

  1. Certificate creation using OpenSSL
  2. Private key creation and certificate signing
  3. Upload certificate in iDRAC
 



In order to import the SSL certificate you will need a private key, and a signed certificate for that key.  Certificates can be third party provided or auto-generated.  Here is a rudimentary example of certificate creation process utilizing OpenSSL in a windows environment:



 

1. OpenSSL Private key and certificate for use as Certificate Authority

Th1e installation will need to function as a Certificate Authority.  This will allow us to issue or sign certificate request.  Here are those steps:

  1. Creating the CA private key:
    • You will need to provide a password for the private key.  This will be needed later so remember this.

 bin>openssl.exe genrsa -aes256 -out keys/ca.key 2048

HOW10401_en_US__1creating the CA Private Key

  1. Creating the CA Certificate leveraging the created key:
    • You will be prompted for details about the certificate.  These include the common name and the location data.  The most important field here is the Common Name.  This is going to the identity of the CA, and will be reflected in the certificate.  Typically, this will need to match the name by which will be accessing the system (DNS host name for instance).  This field is highlighted in the screenshot below.

bin>openssl.exe req -config openssl.conf -new -x509 -days 3650 -key keys/ca.key -out certs/ca.cer

HOW10401_en_US__2Creating the CA Certificate

Now that a private key and certificate are available to use for a Certificate Authority, we can create a private key and CSR for the iDRAC and then sign this request leveraging our Certificate Authority certificate.

 

 

2. Creating the private key, Certificate Signing Request, and Certificate for the iDRAC web services

For the iDRAC, we'll need to have a key and a signed certificate to import  into the web services.  We can leverage OpenSSL to achieve these goals.

  1. First, we'll need to create a private key and a certificate signing request (CSR) that we can then sign leveraging the ca certificate.  The key and CSR can be created in the same step:
    1. You will have to fill out the certificate details.  The common name for this certificate should match the name by which we'll be accessing the idrac. Highlighted below
    2. Also of note, you will need to include a passphrase for the private key that is be created. Highlighted below

bin>openssl.exe req -new -config openssl.conf -newkey rsa:2048  -nodes -keyout idrac.key -out idrac.csr

HOW10401_en_US__3Creating the private key and CSR

  1. Next, the certificate we created needs to be signed by the Certificate Authority.

bin>openssl.exe ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/idrac_web.csr -keyfile keys/ca.key -days 365 -out certs/idrac_web.cer

 

HOW10401_en_US__4Signing the certificate

 

  1. We now have the necessary components to upload to the idrac.  The first of these is the private key (idrac_web.key) and the second of these is the signed certificate (idrac_web.cer). 

     

 

3. Upload certificate in iDRAC


 

With a private key and certificate pair, we can upload the key and certificate to the iDRAC. *Please note that for the following steps I copied the private key and the certificate to the root of the C drive for ease of access and to decrease the length of the commands.

  1. First, we need to upload the certificate:
    1. I leveraged remote racadm command with the interactive option.

 

racadm -r 10.14.177.107 -i sslkeyupload -t 1 -f C:\idrac_web.key

 

HOW10401_en_US__5uploading the key

  1. With the key uploaded, we need to upload the certificate.  The command for this is:

racadm -r 10.14.177.107 -i sslcertupload -t 1 -f c:\idrac_web.cer

HOW10401_en_US__6Importing certificate into the idrac

  1. After the web interface has come back we need verify our certificate.  This can be done by accessing the web interface in any browser, and then inspecting the certificate.  You should see that the certificate reflects the configured common name and is issued by the common name configured in your CA:

HOW10401_en_US__7Verifying our certificate is being used by the web interface
 


 

Artikeleigenschappen


Getroffen product

PowerEdge

Datum laatst gepubliceerd

17 sep 2021

Versie

4

Artikeltype

How To