iDRAC Web Server Certificate Management - Systems Management - Wiki - Systems Management - Dell Community
Wikis - Title

iDRAC Web Server Certificate Management

Systems Management

Systems Management
Dell Systems Management Solutions: Dell OpenManage, iDRAC, Repository Manager, Microsoft SCCM, Chassis Managment Controller, and more

Systems Management - Wiki

iDRAC Web Server Certificate Management

Systems Management - Wiki

This wiki post is written by Shine KA and Hareesh V from Dell iDRAC team

Introduction

     iDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. iDRAC Web GUI, Remote Racadm, WSMAN and VMCLI uses SSL certificate for communication.

     The encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers.

     iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. This document will describe different methods supported by iDRAC for replacing default self-signed certificate of iDRAC.

1. Uploading SSL/Signing Certificate to iDRAC

There are three different ways where you can upload custom SSL certificate to iDRAC. We can user iDRAC WEB GUI, Racadm or WSMAN interface for uploading SSL certificate to iDRAC.

  • Uploading SSL Certificate to iDRAC using CSR created from iDRAC
  • Uploading SSL Certificate to iDRAC using private / public key
  • Uploading Signing certificate to iDRAC

Note : iDRAC will restart and will not be available for some time after upload.

1.1.  Uploading SSL Certificate to iDRAC using CSR method

     This method will use CSR (Certificate Signing Request) created from iDRAC for uploading SSL certificate to iDRAC. You need to sign the CSR file created from iDRAC and upload it back to iDRAC. iDRAC will support only certificate in Base 64 format. You can use Racadm or Web GUI interface for configuring SSL on iDRAC using this method. Before creating CSR from iDRAC, you can specify following certificate properties in iDRAC. These properties will be used by iDRAC for creating CSR.

CommonName

OrganizationName

OrganizationUnit

LocalityName

StateName

CountryCode

EmailAddr

KeySize

Note: Key size can be configured only through racadm

Using Racadm

            You need to follow below four steps if you want to upload SSL certificate to iDRAC using racadm

 

Step 1: Configure Certificate properties on iDRAC

If you have iDRAC7 with 1.30.30 or above firmware or iDRAC8, you can run following racadm commands also to configure certificate properties.

 

Configuring the iDRAC security CSR key size

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrKeySize <Key size>

 

Configuring the iDRAC security CSR common name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrCommonName <common name>

 

Configuring the iDRAC security CSR organization name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationName <Organization Name>

 

Configuring the iDRAC security CSR organization unit

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrOrganizationUnit <Organization Unit>

 

Configuring the iDRAC security CSR Locality Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrLocalityName <Location>

 

Configuring the iDRAC security CSR State Name

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrStateName <State Name>

 

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrCountryCode <Country Code>

 

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm set iDRAC.Security. CsrEmailAddr<Email Address>

 

Once all the Sub-Attributes of the group “iDRAC.Security” had been configured, you can run below command to verify the setting

 If you have iDRAC6 or  iDRAC7 with firmware level less than 1.30.30 you can run following Racadm command to configure certificate properties. These commands can be run from Local, Remote or Firmware Racadm.

Configuring the iDRAC security CSR Key Size

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrKeySize <Key size>

 

Configuring the iDRAC security CSR CommonName

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCommonName <Common Name>

 

Configuring the iDRAC security Organization name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationName <Organisation Name>

 

Configuring the iDRAC security CSR Organization Unit

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit <Organisation Unit>

 

Configuring the iDRAC security Locality name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrLocalityName <Location>

 

Configuring the iDRAC security State name

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrStateName <State Name>

 

Configuring the iDRAC security CSR Country Code

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrCountryCode <Country Code>

 

Configuring the iDRAC security CSR Email Address

The command that is used to configure this property is:

racadm config -g cfgRacSecurity –o cfgRacSecCsrEmailAddr <Email Address>

 

Once all the Sub-Attributes of the group “cfgRacSecurity” had been configured, you can run below command to verify the setting

 

Step 2: Create and Download CSR from iDRAC

You can run the following command to generate and download CSR from iDRAC. This command is only supported from Local and Remote Racadm

 

The sslcsrgen command has the following option:

Racadm sslcsrgen –g –f < filename.txt>

-g: Generate new Certificate signing request(CSR).

-f: Specifies the file which will hold the CSR.

Step 3: Sign the CSR downloaded from iDRAC using any third party certificate authority

Sign the CSR file downloaded from iDRAC using any third party certificate authority.

 

Step 4: Upload signed certificate back to iDRAC

Once you have signed certificate, you can upload signed certificate back to iDRAC using following Racadm command. This command is only supported from Local and Remote Racadm. Once you upload the certificate, iDRAC will reboot and will not be accessible for some time.

Using WEBGUI

Step 1: Configure Certificate properties on iDRAC

To upload certificate using CSR you need to first configure certificate properties on GUI. Login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and select “Generate Certificate Signing Request (CSR)” option for creating CSR. On “Generate Certificate Signing Request (CSR)” page update all fields with certificate information

 

Step 2: Create and Download CSR from iDRAC

To generate and save CSR from iDRAC click on the “Generate” button and save the file

Step 3: Get CSR signed by using any third party certificate authority

Get the CSR file got from iDRAC signed by any third party certificate authority.

Step 4: Upload signed certificate back to iDRAC

You can traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. Browse the signed certificate file and click on Apply to upload signed certificate. iDRAC will reset once certificate is uploaded

1.2.  Uploading SSL Certificate to iDRAC using Key Pair

     In this method you need to create private key and signed certificate with public key from a CA. Once key and certificate is created you can use Racadm, WSMAN or Web GUI interfaces to upload the key and certificate to iDRAC.

Using Racadm

In Racadm first you need to upload private key to iDRAC. This private key should not have a passphrase. Once you upload the private key you can upload the corresponding certificate using Racadm.

 

Step 1: Uploading private key to iDRAC

      You can run “sslkeyupload” racadm command to upload private key to iDRAC. This command is supported from Local and Remote Racadm interface.

Step 2: Uploading certificate to iDRAC

You can run “sslcertupload” racadm command to upload the certificate to iDRAC. This command is supported from Local and Remote Racadm interface.

Using Web GUI

Using Web GUI you cannot upload private key. So you need to first upload the key using racadm as mentioned in above step. Once private key is uploaded you can use iDRAC Web GUI to upload certificate. You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. iDRAC will reset once certificate is uploaded

Using WSMAN

For uploading certificate using WSMAN you first need to create base64 format PKCS file with certificate and private key. This private key should not have a passphrase. Once private key and certificate is created follow below steps for uploading certificate to iDRAC.

 

Step 1: Create a base64 format PKCS file with private key and certificate

In this step you will create a PKCS file of private key and certificate in base 64 format using. You need to use openssl commands to achieve this.

    1. Combined private key and certificate to a single file

      Use Linux cat command to combine custom certificate and private key without pass phrase to a single file

    2. Create PKCS file

      Use Linux openssl pkcs command to create pkcs12 file from certificate and private key file. Provide a password when asked.

    3. Convert PKCS file to Base 64 format

    1. “pkcsCertificateb64.p12” is the base64 encoded PKCS file. Content of this file will be used while uploading certificate using WSMAN.

Step 2: Upload base 64 PKCS certificate to iDRAC

            Now you need to upload the base 64 format PKCS certificate to iDRAC using WSMAN command. For this we will create one xml file with certificate data then upload the file to iDRAC using WSMAN command

 

    1. Create XML file with certificate details

In this step you need to create an xml file with certificate details. Refer screenshot below for sample xml file


 

Note: Type need to be “server”. Between <p:PKCS12> and </p:PKCS12> Copy content of base 64 PKCS certificate file obtained in Step 1c. You need to mentioned PKCS file password in PKCS12pin field

b.  Upload certificate to iDRAC using WSMAN

Run below wasman command to upload certificate to iDRAC.

Note: “uploadCertificate.xml” is the file with certificate content as shown in previous step 2a

1.3.  Uploading Signing Certificate to iDRAC

This feature is only supported on iDRAC7 from 1.30.30 firmware onwards. Using this method, you can make sure every iDRAC have a unique signed SSL certificate. This can be achieved without creating and uploading separate unique signed certificate to iDRAC. You need to upload signing certificate from CA to each iDRAC. iDRAC will create a certificate using iDRAC DNS name or host name (if DNS name is not available) or IPv4 address (if DNS name or hostname is not available) as common name. This certificate will be signed by uploaded signing certificate.

Signing certificate need to be in PKCS12 format and PKCS file should have private key as well. PKCS file can be with or without pass phrase.

Using Racadm

            You need to use “sslcertupload” racadm command to upload signing certificate to iDRAC. This command is only supported from Local or Remote racadm.

Upload signing certificate without pass phrase     

Upload signing certificate with pass phrase

Using Web GUI

You can upload signing certificate using iDRAC Web GUI also. PKCS#12 password is an option field and is only required if the PKCS file have a password


 

2. Viewing SSL/Signing certificate on iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can use Racadm and iDRAC GUI interface to check currently uploaded SSL and singing certificate

2.1.  Viewing SSL certificate on iDRAC

To view SSL certificate on iDRAC you can use racadm or web GUI. You can use this method to view SSL certificate regardless of method used for uploading the certificate.

Using Racadm

You can use racadm sslcertview command to view iDRAC SSL certificate. This command can be executed from Local, Remote or Firmware racadm


Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view current iDRAC SSL Certificate.


2.2.  Viewing Signing certificate on iDRAC

Viewing signing certificate on iDRAC is only supported through web GUI.

Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view signing Certificate. Signing certificate information will be shown under “Custom SSL Certificate Signing Certificate” section.

3. Downloading SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can download these certificate back from iDRAC. You can use Racadm Web GUI and WSMAN interface to download certificates.

3.1.  Downloading SSL certificate from iDRAC

You can use Racadm and Web GUI to download SSL certificate from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download SSL certificate from iDRAC. This command is only supported from Local and Remote Racadm.


Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download SSL Certificate” option to download SSL certificate from iDRAC.

3.2.  Downloading Signing Certificate from iDRAC

You can use Racadm, Web GUI and WSMAN interface to download “Custom SSL Certificate Signing Certificate” from iDRAC.

Using Racadm

You can use racadm sslcertdownload command to download “Custom SSL Certificate Signing Certificate” from iDRAC. This command is only supported from Local and Remote Racadm.


Using Web GUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download Custom SSL Certificate Signing Certificate” option to download “Custom SSL Certificate Signing Certificate” from iDRAC.


Using WSMAN

You can also use WSMAN to download Custom SSL Certificate Signing Certificate from iDRAC. You need to use “DCIM_LCService.ExportCertificate” method to download certificate from iDRAC. This method will download Custom SSL Certificate Signing Certificate to CIFS or NFS share

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to CIFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="/nfs";ShareType="0"}

This command will initiate Custom Certificate download process and return Job ID.

Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to NFS share

winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="Share";ShareType="2";Username="Share Username";Password="Share Password"}

This command will initiate Custom Certificate download process and return Job ID.

 Run below WSMAN command to check job status


4. Deleting SSL/Signing certificate from iDRAC

Once custom SSL or signing certificate is uploaded to iDRAC you can delete this certificate to load iDRAC default certificate.

4.1.  Deleting Custom SSL certificate from iDRAC

Using Racadm

You can use racadm sslresetcfg command to delete custom SSL certificate and load default self-signed certificate back to iDRAC. This command can be executed from Local, Remote and Firmware racadm.

4.2.  Deleting Signing Certificate from iDRAC

You can delete “Custom SSL Certificate Signing Certificate” using racadm or Web GUI. Once you delete custom SSL certificate signing certificate, default self-signed certificate will be loaded on iDRAC.

Using Racadm

You can run racadm sslcertdelete command to delete “Custom SSL Certificate Signing Certificate” This command can be executed from Local, Remote and Firmware racadm. After deleting Custom SSL Certificate Signing Certificate iDRAC will reboot to apply the setting.

Using WebGUI

You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Delete Custom SSL Certificate Signing Certificate” option to delete “Custom SSL Certificate Signing Certificate” from iDRAC.


1
Comments
  • In step 3, it says "Get the CSR file got from iDRAC signed by any third party certificate authority." This is quite confusing.

  • You write "CSR (Custom Signed Certificate) ". Should not it be " CSR (Certificate Signing Request)"?