This wiki post is written by Shine KA and Hareesh V from Dell iDRAC team
Introduction
iDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data over a network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a network. iDRAC Web GUI, Remote Racadm, WSMAN and VMCLI uses SSL certificate for communication.
The encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the most secure form of encryption generally available for Internet browsers.
iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. This document will describe different methods supported by iDRAC for replacing default self-signed certificate of iDRAC.
1. Uploading SSL/Signing Certificate to iDRAC
There are three different ways where you can upload custom SSL certificate to iDRAC. We can user iDRAC WEB GUI, Racadm or WSMAN interface for uploading SSL certificate to iDRAC.
- Uploading SSL Certificate to iDRAC using CSR created from iDRAC
- Uploading SSL Certificate to iDRAC using private / public key
- Uploading Signing certificate to iDRAC
Note : iDRAC will restart and will not be available for some time after upload.
1.1. Uploading SSL Certificate to iDRAC using CSR method
This method will use CSR (Certificate Signing Request) created from iDRAC for uploading SSL certificate to iDRAC. You need to sign the CSR file created from iDRAC and upload it back to iDRAC. iDRAC will support only certificate in Base 64 format. You can use Racadm or Web GUI interface for configuring SSL on iDRAC using this method. Before creating CSR from iDRAC, you can specify following certificate properties in iDRAC. These properties will be used by iDRAC for creating CSR.
CommonName
OrganizationName
OrganizationUnit
LocalityName
StateName
CountryCode
EmailAddr
KeySize
Note: Key size can be configured only through racadm
Using Racadm
You need to follow below four steps if you want to upload SSL certificate to iDRAC using racadm
Step 1: Configure Certificate properties on iDRAC
If you have iDRAC7 with 1.30.30 or above firmware or iDRAC8, you can run following racadm commands also to configure certificate properties.
Configuring the iDRAC security CSR key size
The command that is used to configure this property is:
racadm set iDRAC.Security.CsrKeySize <Key size>
Configuring the iDRAC security CSR common name
The command that is used to configure this property is:
racadm set iDRAC.Security.CsrCommonName <common name>
Configuring the iDRAC security CSR organization name
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrOrganizationName <Organization Name>
Configuring the iDRAC security CSR organization unit
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrOrganizationUnit <Organization Unit>
Configuring the iDRAC security CSR Locality Name
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrLocalityName <Location>
Configuring the iDRAC security CSR State Name
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrStateName <State Name>
Configuring the iDRAC security CSR Country Code
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrCountryCode <Country Code>
Configuring the iDRAC security CSR Email Address
The command that is used to configure this property is:
racadm set iDRAC.Security. CsrEmailAddr<Email Address>
Once all the Sub-Attributes of the group “iDRAC.Security” had been configured, you can run below command to verify the setting
If you have iDRAC6 or iDRAC7 with firmware level less than 1.30.30 you can run following Racadm command to configure certificate properties. These commands can be run from Local, Remote or Firmware Racadm.
Configuring the iDRAC security CSR Key Size
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrKeySize <Key size>
Configuring the iDRAC security CSR CommonName
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrCommonName <Common Name>
Configuring the iDRAC security Organization name
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationName <Organisation Name>
Configuring the iDRAC security CSR Organization Unit
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrOrganizationUnit <Organisation Unit>
Configuring the iDRAC security Locality name
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrLocalityName <Location>
Configuring the iDRAC security State name
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrStateName <State Name>
Configuring the iDRAC security CSR Country Code
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrCountryCode <Country Code>
Configuring the iDRAC security CSR Email Address
The command that is used to configure this property is:
racadm config -g cfgRacSecurity –o cfgRacSecCsrEmailAddr <Email Address>
Once all the Sub-Attributes of the group “cfgRacSecurity” had been configured, you can run below command to verify the setting
Step 2: Create and Download CSR from iDRAC
You can run the following command to generate and download CSR from iDRAC. This command is only supported from Local and Remote Racadm
The sslcsrgen command has the following option:
Racadm sslcsrgen –g –f < filename.txt>
-g: Generate new Certificate signing request(CSR).
-f: Specifies the file which will hold the CSR.
Step 3: Sign the CSR downloaded from iDRAC using any third party certificate authority
Sign the CSR file downloaded from iDRAC using any third party certificate authority.
Step 4: Upload signed certificate back to iDRAC
Once you have signed certificate, you can upload signed certificate back to iDRAC using following Racadm command. This command is only supported from Local and Remote Racadm. Once you upload the certificate, iDRAC will reboot and will not be accessible for some time.
Using WEBGUI
Step 1: Configure Certificate properties on iDRAC
To upload certificate using CSR you need to first configure certificate properties on GUI. Login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and select “Generate Certificate Signing Request (CSR)” option for creating CSR. On “Generate Certificate Signing Request (CSR)” page update all fields with certificate information
Step 2: Create and Download CSR from iDRAC
To generate and save CSR from iDRAC click on the “Generate” button and save the file
Step 3: Get CSR signed by using any third party certificate authority
Get the CSR file got from iDRAC signed by any third party certificate authority.
Step 4: Upload signed certificate back to iDRAC
You can traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. Browse the signed certificate file and click on Apply to upload signed certificate. iDRAC will reset once certificate is uploaded
1.2. Uploading SSL Certificate to iDRAC using Key Pair
In this method you need to create private key and signed certificate with public key from a CA. Once key and certificate is created you can use Racadm, WSMAN or Web GUI interfaces to upload the key and certificate to iDRAC.
Using Racadm
In Racadm first you need to upload private key to iDRAC. This private key should not have a passphrase. Once you upload the private key you can upload the corresponding certificate using Racadm.
Step 1: Uploading private key to iDRAC
You can run “sslkeyupload” racadm command to upload private key to iDRAC. This command is supported from Local and Remote Racadm interface.
Step 2: Uploading certificate to iDRAC
You can run “sslcertupload” racadm command to upload the certificate to iDRAC. This command is supported from Local and Remote Racadm interface.
Using Web GUI
Using Web GUI you cannot upload private key. So you need to first upload the key using racadm as mentioned in above step. Once private key is uploaded you can use iDRAC Web GUI to upload certificate. You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to upload Server Certificate. Select “Upload Server Certificate” option to upload the certificate. iDRAC will reset once certificate is uploaded
Using WSMAN
For uploading certificate using WSMAN you first need to create base64 format PKCS file with certificate and private key. This private key should not have a passphrase. Once private key and certificate is created follow below steps for uploading certificate to iDRAC.
Step 1: Create a base64 format PKCS file with private key and certificate
In this step you will create a PKCS file of private key and certificate in base 64 format using. You need to use openssl commands to achieve this.
Combined private key and certificate to a single file
Use Linux cat command to combine custom certificate and private key without pass phrase to a single file
![]()
Create PKCS file
Use Linux openssl pkcs command to create pkcs12 file from certificate and private key file. Provide a password when asked.
![]()
Convert PKCS file to Base 64 format
![]()
“pkcsCertificateb64.p12” is the base64 encoded PKCS file. Content of this file will be used while uploading certificate using WSMAN.
Step 2: Upload base 64 PKCS certificate to iDRAC
Now you need to upload the base 64 format PKCS certificate to iDRAC using WSMAN command. For this we will create one xml file with certificate data then upload the file to iDRAC using WSMAN command
Create XML file with certificate details
In this step you need to create an xml file with certificate details. Refer screenshot below for sample xml file
Note: Type need to be “server”. Between <p:PKCS12> and </p:PKCS12> Copy content of base 64 PKCS certificate file obtained in Step 1c. You need to mentioned PKCS file password in PKCS12pin field
b. Upload certificate to iDRAC using WSMAN
Run below wasman command to upload certificate to iDRAC.
Note: “uploadCertificate.xml” is the file with certificate content as shown in previous step 2a
1.3. Uploading Signing Certificate to iDRAC
This feature is only supported on iDRAC7 from 1.30.30 firmware onwards. Using this method, you can make sure every iDRAC have a unique signed SSL certificate. This can be achieved without creating and uploading separate unique signed certificate to iDRAC. You need to upload signing certificate from CA to each iDRAC. iDRAC will create a certificate using iDRAC DNS name or host name (if DNS name is not available) or IPv4 address (if DNS name or hostname is not available) as common name. This certificate will be signed by uploaded signing certificate.
Signing certificate need to be in PKCS12 format and PKCS file should have private key as well. PKCS file can be with or without pass phrase.
Using Racadm
You need to use “sslcertupload” racadm command to upload signing certificate to iDRAC. This command is only supported from Local or Remote racadm.
Upload signing certificate without pass phrase
Upload signing certificate with pass phrase
Using Web GUI
You can upload signing certificate using iDRAC Web GUI also. PKCS#12 password is an option field and is only required if the PKCS file have a password
2. Viewing SSL/Signing certificate on iDRAC
Once custom SSL or signing certificate is uploaded to iDRAC you can use Racadm and iDRAC GUI interface to check currently uploaded SSL and singing certificate
2.1. Viewing SSL certificate on iDRAC
To view SSL certificate on iDRAC you can use racadm or web GUI. You can use this method to view SSL certificate regardless of method used for uploading the certificate.
Using Racadm
You can use racadm sslcertview command to view iDRAC SSL certificate. This command can be executed from Local, Remote or Firmware racadm
Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view current iDRAC SSL Certificate.
2.2. Viewing Signing certificate on iDRAC
Viewing signing certificate on iDRAC is only supported through web GUI.
Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page to view signing Certificate. Signing certificate information will be shown under “Custom SSL Certificate Signing Certificate” section.
3. Downloading SSL/Signing certificate from iDRAC
Once custom SSL or signing certificate is uploaded to iDRAC you can download these certificate back from iDRAC. You can use Racadm Web GUI and WSMAN interface to download certificates.
3.1. Downloading SSL certificate from iDRAC
You can use Racadm and Web GUI to download SSL certificate from iDRAC.
Using Racadm
You can use racadm sslcertdownload command to download SSL certificate from iDRAC. This command is only supported from Local and Remote Racadm.
Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download SSL Certificate” option to download SSL certificate from iDRAC.
3.2. Downloading Signing Certificate from iDRAC
You can use Racadm, Web GUI and WSMAN interface to download “Custom SSL Certificate Signing Certificate” from iDRAC.
Using Racadm
You can use racadm sslcertdownload command to download “Custom SSL Certificate Signing Certificate” from iDRAC. This command is only supported from Local and Remote Racadm.
Using Web GUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Download Custom SSL Certificate Signing Certificate” option to download “Custom SSL Certificate Signing Certificate” from iDRAC.
Using WSMAN
You can also use WSMAN to download Custom SSL Certificate Signing Certificate from iDRAC. You need to use “DCIM_LCService.ExportCertificate” method to download certificate from iDRAC. This method will download Custom SSL Certificate Signing Certificate to CIFS or NFS share
Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to CIFS share
winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="/nfs";ShareType="0"}
This command will initiate Custom Certificate download process and return Job ID.
Run below WSMAN command to export iDRAC Custom SSL Certificate Signing Certificate to NFS share
winrm I ExportCertificate cimv2/2/root/dcim/DCIM_LCService?__cimnamespace=root/dcim+SystemCreationClassName=DCIM_ComputerSystem+SystemName=DCIM:ComputerSystem+CreationClassName=DCIM_LCService+Name=DCIM:LCService -u:root -p:calvin -r:https://10.94.195.107/wsman -SkipCNcheck -SkipCAcheck -encoding:utf-8 -a:basic @{Type="2";IPAddress="10.94.194.31";ShareName="Share";ShareType="2";Username="Share Username";Password="Share Password"}
This command will initiate Custom Certificate download process and return Job ID.
Run below WSMAN command to check job status
4. Deleting SSL/Signing certificate from iDRAC
Once custom SSL or signing certificate is uploaded to iDRAC you can delete this certificate to load iDRAC default certificate.
4.1. Deleting Custom SSL certificate from iDRAC
Using Racadm
You can use racadm sslresetcfg command to delete custom SSL certificate and load default self-signed certificate back to iDRAC. This command can be executed from Local, Remote and Firmware racadm.
4.2. Deleting Signing Certificate from iDRAC
You can delete “Custom SSL Certificate Signing Certificate” using racadm or Web GUI. Once you delete custom SSL certificate signing certificate, default self-signed certificate will be loaded on iDRAC.
Using Racadm
You can run racadm sslcertdelete command to delete “Custom SSL Certificate Signing Certificate” This command can be executed from Local, Remote and Firmware racadm. After deleting Custom SSL Certificate Signing Certificate iDRAC will reboot to apply the setting.
Using WebGUI
You can login to iDRAC and traverse to iDRAC Settings -> Network -> SSL page and use “Delete Custom SSL Certificate Signing Certificate” option to delete “Custom SSL Certificate Signing Certificate” from iDRAC.
