How to use SHA2 SSL certificate signing request and certificates with Dell iDRAC

book

Article ID: 168891

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

In order to use SHA2 based SSL objects with the Dell iDRAC on the Dell Poweredge R620 and R720, the private key and certificate signing request need to be generated on a different host.  Then the key and resulting certificate can be uploaded to the iDRAC.

Resolution

The following are required:

  1. A Windows-based host with Dell's RACADM software installed (for uploading the private key and certificate to the iDRAC)  Please see Dell's web site to download the latest version of the RACADM utility. As of the writing of this KB article in January 2015, the current versions of the RACADM utility for Windows are available at these links (not owned or controlled by Blue Coat):
32-bit: http://downloads.dell.com/FOLDER03252978M/1/OM-DRAC-Dell-Web-WIN-8.2.0-1739_A00.exe
64-bit: http://downloads.dell.com/FOLDER03252983M/1/OM-DRAC-Dell-Web-WINX64-8.2.0-1739_A00.exe

The iDRAC must be running at least firmware version 2.21.21.21.  Please contact Blue Coat support or Dell to obtain this version of the iDRAC firmware. The firmware can be upgraded remotely with the following RACADM command:

C:\Program Files\Dell\SysMgt\rac5>racadm.exe -r <idrac-ip-address-or-name> -u root -p <idrac-root-password> fwupdate -d <c:\path\to\firmimg.d7>
 
  1. ‚ÄčA host with the OpenSSL suite installed, for the below instructions.

1. Generate 2048-bit, sha256 private key & csr:
openssl req -newkey rsa:2048 -sha256 -keyout fqdn.key -out fqdn.csr

2. Remove passphrase from private key (private keys with pass phrases are not supported by iDRAC)
openssl rsa -in fqdn.key -out fqdn.key

3. Optionally, view/check key and signing request
openssl rsa -in fqdn.key -check
openssl req -in fqdn.csr -text -noout


4. Use the certificate signing authority to generate and provide a certificate
iDRAC7 accepts only X509, Base 64 encoded Web server certificates.

5. Optionally, view/check certificate to make sure it's sha256/2048bit
openssl x509 -in fqdn.pem -text -noout

Then on Windows with RACADM:

6. Upload the private key to the iDRAC
racadm.exe -r my-idrac-ip -u root -p calvin sslkeyupload -t 1 -f fqdn.key

7. Upload the new certificate
racadm.exe -r my-idrac-ip -u root -p calvin sslcertupload -t 1 -f certificate.pem

8. Reboot the idrac
racadm.exe -r my-idrac-ip -u root -p calvin racreset

Wait 5 minutes for the reset to complete.