This blog post is written by Shine KA and Florin Dragan from Dell iDRAC team
With iDRAC recent release (iDRAC7 1.30.30) you can upload custom signing certificate to iDRAC. With this feature, iDRAC will automatically create unique SSL certificate to each iDRAC which is signed by uploaded signing certificate. This feature will also provide following benefits.
- Each iDRAC on the organization have unique certificate
- You can upload Signing Certificate to the client and access all iDRAC in the organization without any certificate related warnings.
For using this feature you need to have signing certificate uploaded to iDRAC. Once signing certificate is uploaded, iDRAC will create a certificate for iDRAC and this certificate will be signed by uploaded signing certificate. This certificate will have a validity of 7 years. The common name of the signed certificate will be based on iDRAC DNS DRAC Name and iDRAC DNS Domain Name (iDRAC DNS DRAC name. iDRAC DNS Domain name). If iDRAC does not have a DNS name configured, iDRAC IPv4 or IPv6 (If IPv4 address is not available) address will be used as common name of certificate. The certificate created by iDRAC will have 2048 Bytes Encryption key.
Signing certificate needs to be packaged as PKCS #12 format before uploading to iDRAC. This PKCS #12 file should have signing certificate and corresponding private key. iDRAC will support PKCS #12 file with or without password. Private Key which is part of PKCS #12 file will be securely stored in iDRAC and there is no option to download the private key from iDRAC. Even iDRAC Administrator cannot download the private key.
You can upload (PKCS #12 file), download or delete custom signing certificate using iDRAC GUI or Racadm interfaces. Once you upload custom signing certificate, iDRAC will get rebooted automatically. This is to create and apply SSL certificate to iDRAC using uploaded signing certificate. iDRAC will also get rebooted when you delete signing certificate from iDRAC. When you download signing certificate from iDRAC certificate will be downloaded without private key.
You can also continue to use existing way of uploading certificate to iDRAC (using CSR and certificate or private key and certificate) along with this feature.