How to use SHA2 SSL certificate signing request and certificates with Dell iDRAC
Article ID: 168891
Updated On:
Products
Security Analytics
Issue/Introduction
In order to use SHA2 based SSL objects with the Dell iDRAC on the Dell Poweredge R620 and R720, the private key and certificate signing request need to be generated on a different host. Then the key and resulting certificate can be uploaded to the iDRAC.
Resolution
The following are required:
- A Windows-based host with Dell's RACADM software installed (for uploading the private key and certificate to the iDRAC) Please see Dell's web site to download the latest version of the RACADM utility. As of the writing of this KB article in January 2015, the current versions of the RACADM utility for Windows are available at these links (not owned or controlled by Blue Coat):
32-bit: http://downloads.dell.com/FOLDER03252978M/1/OM-DRAC-Dell-Web-WIN-8.2.0-1739_A00.exe
64-bit: http://downloads.dell.com/FOLDER03252983M/1/OM-DRAC-Dell-Web-WINX64-8.2.0-1739_A00.exe
The iDRAC must be running at least firmware version 2.21.21.21. Please contact technical support or Dell to obtain this version of the iDRAC firmware. The firmware can be upgraded remotely with the following RACADM command:
C:\Program Files\Dell\SysMgt\rac5>racadm.exe -r <idrac-ip-address-or-name> -u root -p <idrac-root-password> fwupdate -d <c:\path\to\firmimg.d7>
The iDRAC must be running at least firmware version 2.21.21.21. Please contact technical support or Dell to obtain this version of the iDRAC firmware. The firmware can be upgraded remotely with the following RACADM command:
C:\Program Files\Dell\SysMgt\rac5>racadm.exe -r <idrac-ip-address-or-name> -u root -p <idrac-root-password> fwupdate -d <c:\path\to\firmimg.d7>
You can also run 'racadm' locally on the Security Analytics appliance. The utility is included with the base SA software.
- A host with the OpenSSL suite installed, for the below instructions.
1. Generate 2048-bit, sha256 private key & csr:
openssl req -newkey rsa:2048 -sha256 -keyout fqdn.key -out fqdn.csr
2. Remove passphrase from private key (private keys with pass phrases are not supported by iDrac)
openssl rsa -in fqdn.key -out fqdn.key
3. Optionally, view/check key and signing request
openssl rsa -in fqdn.key -check
openssl req -in fqdn.csr -text -noout
4. Use the certificate signing authority to generate and provide a certificate
iDRAC7 accepts only X509, Base 64 encoded Web server certificates.
5. Optionally, view/check certificate to make sure it's sha256/2048bit
openssl x509 -in fqdn.pem -text -noout
Then using RACADM (Windows or SA):
6. Upload the private key to the iDrac
racadm -r my-idrac-ip -u root -p calvin sslkeyupload -t 1 -f fqdn.key
7. Upload the new certificate
racadm -r my-idrac-ip -u root -p calvin sslcertupload -t 1 -f certificate.pem
8. Reboot the iDrac
racadm -r my-idrac-ip -u root -p calvin racreset
Wait 5 minutes for the reset to complete.
To delete a Self Signed certificate using racadm (and get back to the default certificate), do the following:
- Delete the self-signed certificate
racadm sslcertdelete -t 3 - Reboot the iDrac
racadm racreset
Feedback
Yes
No
Powered by
