iDRAC10 Security Configuration Guide

PDF

Secure Connection Using TLS/SSL Certificate

The iDRAC web server uses a TLS/SSL certificate to establish and maintain secure communications with remote clients. Web browsers and command-line utilities, such as RACADM and Redfish, use this TLS/SSL certificate for server authentication and establishing an encrypted connection.

There are several options available to secure the network connection using a TLS/SSL certificate. iDRAC web server has a self-signed TLS/SSL certificate by default. The self-signed certificate can be replaced with a custom certificate, a custom signing certificate, or a certificate signed by a well-known Certificate Authority (CA). Whichever method is chosen, once iDRAC is configured and the TLS/SSL certificate is installed on the management stations, TLS/SSL enabled clients can access iDRAC securely and without certificate warnings.

For more information, see the white paper - Managing Web Server Certificates on iDRAC.

Certificate upload can be automated by using Redfish (ImportSSLCertificate action) (or RACADM (sslcertupload command) scripts. For details, see:

  • iDRAC Redfish API Documentation on Developer portal.
  • iDRAC RACADM CLI Guide on the iDRAC page.
Table 1. TLS/SSL Certificate AnalysisThe following table describes the advantages and disadvantages of different types of certificates:
Certificate Description Advantages Disadvantages
Self-Signed TLS/SSL Certificate This certificate is auto that is generated and self-signed by the iDRAC. Each iDRAC has a unique self-signed certificate by default.
  • Do not have to maintain a Certificate Authority.
  • Certificates are auto that is generated by the iDRAC.
  • The certificate for each iDRAC must be added to the trusted certificates store on each management station. (Every iDRAC is its own Certificate Authority which must be trusted.)
CA Signed TLS/SSL Certificate with common Public/Private key pair A certificate signing request (CSR) is generated and submitted to your in-house Certificate Authority or by a third-party Certificate Authority such as VeriSign, Thawte, Go Daddy, and so on, for signing.
  • Can use a commercial Certificate authority. Can use a commercial Certificate authority.
  • If a commercial CA is used, it is likely to be already trusted on your management stations and can be trusted for all iDRACs.
  • Purchase commercial certificates or maintain your own Certificate Authority.
  • Each iDRAC has same public/private key pair unless the user can manage multiple key pairs.
CA Signed TLS/SSL Certificate A certificate signing request (CSR) is generated by iDRAC and submitted to your in-house Certificate Authority or by a third-party Certificate Authority such as VeriSign, Thawte, Go Daddy, so on for signing.
  • Can use a commercial Certificate authority.
  • Only must trust one Certificate Authority for all iDRAC. If a commercial CA is used, it is likely to be already trusted on your management stations.
  • Each iDRAC has a unique public/private key.
  • Purchase commercial certificates or maintain your own Certificate Authority.
  • A CSR must be generated and submitted for every iDRAC.
Custom Signing TLS/SSL Certificate (CSC) The certificate is auto that is generated and signed using a signing certificate that is uploaded from your in-house Certificate Authority.
  • Only must trust one Certificate Authority for all iDRAC. It is possible that your in-house Certificate Authority is already trusted on your management stations.
  • Certificates are auto that is generated by the iDRAC.
  • Maintain your own Certificate Authority.

See the Managing Web Server Certificates on iDRACwhitepaper.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\