Users Guide
NOTE: While accessing iDRAC web interface through FQDN, Mozilla Firefox may not recognize the SSL certificate as
trusted. To continue, add the certificate to the trusted list.
You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing certificate for this
function. By importing one custom signing certificate into all management stations, all the iDRACs using the custom signing certificate are
trusted. If a custom signing certificate is uploaded when a custom SSL certificate is already in-use, then the custom SSL certificate is
disabled and a one-time auto-generated SSL certificate, signed with the custom signing certificate, is used. You can download the custom
signing certificate (without the private key). You can also delete an existing custom signing certificate. After deleting the custom signing
certificate, iDRAC resets and auto-generates a new self-signed SSL certificate. If a self-signed certificate is regenerated, then the trust
must be re-established between that iDRAC and the management workstation. Auto-generated SSL certificates are self-signed and have
an expiration date of seven years and one day and a start date of one day in the past (for different time zone settings on management
stations and the iDRAC).
The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the Common Name
when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a wildcard certificate. If
a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that you can upload for multiple
iDRACs and all the iDRACs are trusted by the supported browsers. While connecting to iDRAC Web interface using a supported browser
that supports a wildcard certificate, the iDRAC is trusted by the browser. While launching viewers, the iDRACs are trusted by the viewer
clients.
Related concepts
Generating a new certificate signing request on page 93
Uploading server certificate on page 94
Viewing server certificate on page 94
Uploading custom signing certificate on page 95
Downloading custom SSL certificate signing certificate on page 95
Deleting custom SSL certificate signing certificate on page 95
Generating a new certificate signing request
A CSR is a digital request to a Certificate Authority (CA) for a SSL server certificate. SSL server certificates allow clients of the server to
trust the identity of the server and to negotiate an encrypted session with the server.
After the CA receives a CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security standards,
the CA issues a digitally-signed SSL server certificate that uniquely identifies the applicant’s server when it establishes SSL connections
with browsers running on management stations.
After the CA approves the CSR and issues the SSL server certificate, it can be uploaded to iDRAC. The information used to generate the
CSR, stored on the iDRAC firmware, must match the information contained in the SSL server certificate, that is, the certificate must have
been generated using the CSR created by iDRAC.
Related concepts
SSL server certificates on page 92
Generating CSR using web interface
To generate a new CSR:
NOTE:
Each new CSR overwrites any previous CSR data stored in the firmware. The information in the CSR must match
the information in the SSL server certificate. Else, iDRAC does not accept the certificate.
1. In the iDRAC Web interface, go to Overview > iDRAC Settings > Network > SSL, select Generate Certificate Signing Request
(CSR) and click Next.
The Generate a New Certificate Signing Request page is displayed.
2. Enter a value for each CSR attribute.
For more information, see iDRAC Online Help.
3. Click Generate.
A new CSR is generated. Save it to the management station.
Configuring iDRAC
93