Users Guide
For each iDRAC to be trusted by the management station, that iDRAC’s SSL certificate must be placed in the management station’s
certificate store. Once the SSL certificate is installed on the management stations, supported browsers can access iDRAC without
certificate warnings.
You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing certificate for
this function. By importing one custom signing certificate into all management stations, all the iDRACs using the custom signing
certificate are trusted. If a custom signing certificate is uploaded when a custom SSL certificate is already in-use, then the custom
SSL certificate is disabled and a one-time auto-generated SSL certificate, signed with the custom signing certificate, is used. You
can download the custom signing certificate (without the private key). You can also delete an existing custom signing certificate.
After deleting the custom signing certificate, iDRAC resets and auto-generates a new self-signed SSL certificate. If a self-signed
certificate is regenerated, then the trust must be re-established between that iDRAC and the management workstation. Auto-
generated SSL certificates are self-signed and have an expiration date of seven years and one day and a start date of one day in the
past (for different time zone settings on management stations and the iDRAC).
The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the Common
Name when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a wildcard
certificate. If a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that you can
upload for multiple iDRACs and all the iDRACs are trusted by the supported browsers. While connecting to iDRAC Web interface
using a supported browser that supports a wildcard certificate, the iDRAC is trusted by the browser. While launching viewers, the
iDRACs are trusted by the viewer clients.
Related links
Generating a new certificate signing request
Uploading server certificate
Viewing server certificate
Uploading custom signing certificate
Downloading custom SSL certificate signing certificate
Deleting custom SSL certificate signing certificate
Generating a new certificate signing request
A CSR is a digital request to a Certificate Authority (CA) for a SSL server certificate. SSL server certificates allow clients of the
server to trust the identity of the server and to negotiate an encrypted session with the server.
After the CA receives a CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security
standards, the CA issues a digitally-signed SSL server certificate that uniquely identifies the applicant’s server when it establishes
SSL connections with browsers running on management stations.
After the CA approves the CSR and issues the SSL server certificate, it can be uploaded to iDRAC. The information used to
generate the CSR, stored on the iDRAC firmware, must match the information contained in the SSL server certificate, that is, the
certificate must have been generated using the CSR created by iDRAC.
Related links
SSL server certificates
Generating CSR using web interface
To generate a new CSR:
NOTE: Each new CSR overwrites any previous CSR data stored in the firmware. The information in the CSR must match
the information in the SSL server certificate. Else, iDRAC does not accept the certificate.
1. In the iDRAC Web interface, go to Overview → iDRAC Settings → Network → SSL, select Generate Certificate Signing
Request (CSR) and click Next.
The Generate a New Certificate Signing Request page is displayed.
2. Enter a value for each CSR attribute.
For more information, see iDRAC Online Help.
3. Click Generate.
A new CSR is generated. Save it to the management station.
Generating CSR using RACADM
To generate a CSR using RACADM, use the set command with the objects in the iDRAC.Security group, and then use the sslcsrgen
command to generate the CSR.
91