Users Guide
The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the Common Name
when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a wildcard certificate. If
a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that you can upload for multiple
iDRACs and all the iDRACs are trusted by the supported browsers. While connecting to iDRAC Web interface using a supported browser
that supports a wildcard certificate, the iDRAC is trusted by the browser. While launching viewers, the iDRACs are trusted by the viewer
clients.
Generating a new certificate signing request
A CSR is a digital request to a Certificate Authority (CA) for a SSL server certificate. SSL server certificates allow clients of the server to
trust the identity of the server and to negotiate an encrypted session with the server.
After the CA receives a CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security standards,
the CA issues a digitally-signed SSL server certificate that uniquely identifies the applicant’s server when it establishes SSL connections
with browsers running on management stations.
After the CA approves the CSR and issues the SSL server certificate, it can be uploaded to iDRAC. The information used to generate the
CSR, stored on the iDRAC firmware, must match the information contained in the SSL server certificate, that is, the certificate must have
been generated using the CSR created by iDRAC.
Generating CSR using web interface
To generate a new CSR:
NOTE: Each new CSR overwrites any previous CSR data stored in the firmware. The information in the CSR must match
the information in the SSL server certificate. Else, iDRAC does not accept the certificate.
1. In the iDRAC Web interface, go to iDRAC Settings > Connectivity > SSL > SSL certificate, select Generate Certificate
Signing Request (CSR) and click Next.
The Generate a New Certificate Signing Request page is displayed.
2. Enter a value for each CSR attribute.
For more information, see iDRAC Online Help.
3. Click Generate.
A new CSR is generated. Save it to the management station.
Generating CSR using RACADM
To generate a CSR using RACADM, use the set command with the objects in the iDRAC.Security group, and then use the
sslcsrgen command to generate the CSR.
For more information, see the iDRAC RACADM CLI Guide available at www.dell.com/idracmanuals.
Uploading server certificate
After generating a CSR, you can upload the signed SSL server certificate to the iDRAC firmware. iDRAC must be reset to apply the
certificate. iDRAC accepts only X509, Base 64 encoded Web server certificates. SHA-2 certificates are also supported.
CAUTION:
During reset, iDRAC is not available for a few minutes.
Uploading server certificate using web interface
To upload the SSL server certificate:
1. In the iDRAC Web interface, go to iDRAC Settings > Connectivity > SSL > SSL certificate, select Upload Server Certificate
and click Next.
The Certificate Upload page is displayed.
2. Under File Path, click Browse and select the certificate on the management station.
3. Click Apply.
The SSL server certificate is uploaded to iDRAC.
4. A pop-up message is displayed asking you to reset iDRAC immediately or at a later time. Click Reset iDRAC or Reset iDRAC Later as
required.
iDRAC resets and the new certificate is applied. The iDRAC is not available for a few minutes during the reset.
92
Configuring iDRAC