Users Guide
Login Type Certicate Type How to Obtain
SHA-2 certicates are also supported.
Local User login SSL Certicate Generate a CSR and get it signed from a
trusted CA
NOTE: iDRAC ships with a default
self-signed SSL server certicate.
The iDRAC Web server, Virtual
Media, and Virtual Console use this
certicate.
SHA-2 certicates are also supported.
Related links
SSL server certicates
Generating a new certicate signing request
SSL server certicates
iDRAC includes a web server that is congured to use the industry-standard SSL security protocol to transfer encrypted data over a
network. An SSL encryption option is provided to disable weak ciphers. Built upon asymmetric encryption technology, SSL is widely
accepted for providing authenticated and encrypted communication between clients and servers to prevent eavesdropping across a
network.
An SSL-enabled system can perform the following tasks:
• Authenticate itself to an SSL-enabled client
• Allow the two systems to establish an encrypted connection
NOTE: If SSL encryption is set to 256-bit or higher, the cryptography settings for your virtual machine environment
(JVM, IcedTea) may require installing the Unlimited Strength Java Cryptography Extension Policy Files to permit usage of
iDRAC plugins such as vConsole with this level of encryption. For information about installing the policy les, see the
documentation for Java.
iDRAC Web server has a Dell self-signed unique SSL digital certicate by default. You can replace the default SSL certicate with a
certicate signed by a well-known Certicate Authority (CA). A Certicate Authority is a business entity that is recognized in the
Information Technology industry for meeting high standards of reliable screening, identication, and other important security criteria.
Examples of CAs include Thawte and VeriSign. To initiate the process of obtaining a CA-signed certicate, use either iDRAC Web
interface or RACADM interface to generate a Certicate Signing Request (CSR) with your company’s information. Then, submit the
generated CSR to a CA such as VeriSign or Thawte. The CA can be a root CA or an intermediate CA. After you receive the CA-
signed SSL certicate, upload this to iDRAC.
For each iDRAC to be trusted by the management station, that iDRAC’s SSL certicate must be placed in the management station’s
certicate store. Once the SSL certicate is installed on the management stations, supported browsers can access iDRAC without
certicate warnings.
You can also upload a custom signing certicate to sign the SSL certicate, rather than relying on the default signing certicate for
this function. By importing one custom signing certicate into all management stations, all the iDRACs using the custom signing
certicate are trusted. If a custom signing certicate is uploaded when a custom SSL certicate is already in-use, then the custom
SSL certicate is disabled and a one-time auto-generated SSL certicate, signed with the custom signing certicate, is used. You
can download the custom signing certicate (without the private key). You can also delete an existing custom signing certicate.
After deleting the custom signing certicate, iDRAC resets and auto-generates a new self-signed SSL certicate. If a self-signed
certicate is regenerated, then the trust must be re-established between that iDRAC and the management workstation. Auto-
generated SSL certicates are self-signed and have an expiration date of seven years and one day and a start date of one day in the
past (for dierent time zone settings on management stations and the iDRAC).
The iDRAC Web server SSL certicate supports the asterisk character (*) as part of the left-most component of the Common
Name when generating a Certicate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a wildcard
93