iDRAC Web Server Certificates
Hello, my name is Ted. I'm a senior engineer in the Systems Management group with Dell Technologies. In this video I'm going to be going over iDRAC certificates, specifically for the web server. This is the white paper that we have for managing iDRAC certificates. It describes three main ways to manage certificates for iDRAC in cmcs. The first type is the self-signed certificate, which is the default certificate type that the iDRAC ships with from the factory. The advantages of this are you do not have to maintain a certificate authority and the certificates themselves are generated automatically by the iDRAC. Disadvantage would be that the certificate for each iDRAC has to be added to the trusted certificate store on.
Each management station, because each iDRAC has its own certificate authority which has to be trusted. To regenerate the self-signed certificate you use the racadm command sslresetcfg. There is a custom signed SSL certificate option which leverages a signing certificate created by your own certificate authority. You export the certificate in PFX format, with private key, to use on each iDRAC. This is not a common use. The advantages of a custom sign certificate would be you only have to trust one certificate authority for all your iDRACs. It's possible that using your in-house certificate authority is already trusted on all your management stations. Certificates are also auto-generated by the iDRAC..
The disadvantage to this is that you have to maintain your own certificate authority. For this workflow you have to export the root certificate authority with the private key in PFX format. From your iDRAC you then go to the iDRAC settings, services web server, custom SSL signing certificate and import the private key for your certificate authority into the iDRAC which will then be used to sign all certificates that the iDRAC generates. The third most common option is for a certificate authority signed SSLcertificate using a built-in signing request submitted to your certificate authority to create the web server certificate. The advantages of this are that you can use any commercial certificate authority and you only have to have one certificate authority trusted for all your iDRACs.
Likely if using a commercial CA this is already trusted by your management stations. The disadvantage to this would be to have to purchase commercial certificates or to maintain your own certificate authority. Let's go over a couple of these options. Here in the iDRAC we can view the certificate that we are currently using and see this was issued to the iDRAC by the iDRAC. We can see the certificate details that we're using SHA256 with 2048 bits for our public key. To generate a custom signed certificate from the iDRAC I'm going to go ahead and log in and proceed to the appropriate settings. Here under 'iDRAC Settings', 'Services' we have the web server option where we can create a signing request here in the iDRAC providing.
Common name, country, locality, organization, state, email and any subject alternative name that we need for our certificate. It's important to note that newer browsers require the subject alternative name or they will still give you a certificate warning when accessing your iDRAC. Once you fill out this information you will generate the CSR. It will download the file to your system which you can then take to your certificate authority and get signed to upload again at this point. You can upload a custom certificate with the PFX file. it's important to note that this only works on the iDRAC 4.40.0.0 or newer firmware. Here is the option to upload a custom signing certificate where you extract the private key from your certificate authority.
And then give it to your iDRAC to sign its own certificates, thereby allowing your management station to trust any certificates issued by your internal certificate authority. Now I'm going to go over this process using racadm. Before the iDRAC 4.40.0.0 firmware you were required to separate the key pair from the certificate directly. Here you can see i have uploaded the PFX file to this location where I'm using OpenSSL. To split this we first are required to use the 'no certs' option to extract the key from this file. I'm going to provide it the password for the PFX, and then I'm going to enter a new passphrase for the PEM itself. Now that we've extracted the key we must put it in a format so the iDRAC can.
Accept it I'm also going to have to provide that new PEM passphrase that I just used when extracting the key file from the PFX. This command will then extract the PEM file which is the certificate directly from the PKCS. I must also provide the key password for that. Now that I have my iDRAC wildcard key and PEM files I can upload those to the iDRAC directly using racadm. I've set up a PowerShell window here so that I don't have to type in usernames or passwords, or the iDRAC IP address and just use this as such. First I'm going to upload the certificate. Now I need to provide it the private key..
Now we need to reset the iDRAC so the new certificate can take effect. This will take a moment. Once the iDRAC loads the new certificate we can compare it with the current certificate that we have installed. Now that the iDRAC is back up we can view the certificate and see that this was issued by my certificate authority as a wildcard certificate. Additional things that we can do, first I'm going to do is clear the SSL certificate. Again since we're resetting the SSL certificate it's important to reset the iDRAC so the new certificate can take effect.
Now we're back to our original certificate. Now, because this iDRAC is specifically version 4.40.0.0 I can also use this command to upload the certificate directly, without splitting the key and the certificate apart. This is type 16 and is also required to provide the password for extracting the key from the PEM. As in other instances I have to reset the iDRAC for the new certificate to take effect. Now that the iDRAC is back up we can see that our wildcard certificate is installed successfully. As a note, I'm seeing the security warning here because I'm not using an FQDN that is sysman.local. If I were using the FQDN of the iDRAC with that.
Domain name I would not be seeing this certificate warning. Again I'm going to reset the iDRAC defaults so that I can show you how to generate a CSR using racadm. Now that we're back to the original certificate I'm going to go ahead and show you how we can create a custom CSR. Here are the commands that I'm going to run for creating a custom CSR. With this I'm going to update these fields, generate a new CSR then upload it to my certificate authority for signing. I've created this little PowerShell script to display the fields, fill them out and then display them again before I generate the signing request.
Now that the values are fully populated I'm going to generate a CSR to have my certificate authority sign it. When using my CSR for this with my certificate authority I request a certificate and submit a request with a base64 encoded information that was provided. I have to choose a web server certificate and then it's important to choose base64 encoded and download the entire certificate chain. Now that the new certificate is uploaded we must reset the iDRAC as well for the new certificate to take effect. Now that the certificate is uploaded we can see that it was signed by my certificate authority,.
As well as we can confirm the details that we are now using a 4096-bit RSA key. Again on the iDRAC setting services page under our web server I'm going to choose SSL TLS custom signing certificate. Now that my custom signing certificate is successfully installed I can reset the iDRAC now for the new certificate to take effect, where the iDRAC will regenerate a self-signed certificate using the private key that I've just uploaded to it from my certificate authority. Now that our iDRAC is back up we can see that it was self-generated and was issued by our certificate authority because it is now using the certificate signing certificate that we have provided.
If we no longer want to use the custom signing certificate we can delete the signing certificate from this interface here. The workflow process of this, once the certificate is removed it will automatically regenerate a new self-signed certificate and then ask me if I want to reset the iDRAC for that new certificate to take effect. Now that our iDRAC is back up we can check our certificate and see that it is again returned to the self-issued certificate. We can also verify this with the racadm command to view the SSL certificate. That concludes my video on iDRAC certificates..
Thank you so much for watching, I hope you have a great day.
