Users Guide
Table 16. Types of certificate based on login type (continued)
Login Type Certificate Type How to Obtain
Active Directory user login Trusted CA certificate This certificate is issued by a CA.
SHA-2 certificates are also
supported.
Local User login SSL Certificate Generate a CSR and get it signed
from a trusted CA
NOTE: iDRAC ships with a
default self-signed SSL server
certificate. The iDRAC Web
server, Virtual Media, and Virtual
Console use this certificate.
SHA-2 certificates are also
supported.
SSL server certificates
iDRAC includes a web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data
over a network. An SSL encryption option is provided to disable weak ciphers. Built upon asymmetric encryption technology,
SSL is widely accepted for providing authenticated and encrypted communication between clients and servers to prevent
eavesdropping across a network.
An SSL-enabled system can perform the following tasks:
● Authenticate itself to an SSL-enabled client
● Allow the two systems to establish an encrypted connection
NOTE:
If SSL encryption is set to 256-bit or higher and 168–bit or higher, the cryptography settings for your virtual
machine environment (JVM, IcedTea) may require installing the Unlimited Strength Java Cryptography Extension Policy
Files to permit usage of iDRAC plugins such as vConsole with this level of encryption. For information about installing the
policy files, see the documentation for Java.
iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate
with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is
recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other
important security criteria. Examples of CAs include Thawte and VeriSign. To initiate the process of obtaining a CA-signed
certificate, use either iDRAC Web interface or RACADM interface to generate a Certificate Signing Request (CSR) with your
company’s information. Then, submit the generated CSR to a CA such as VeriSign or Thawte. The CA can be a root CA or an
intermediate CA. After you receive the CA-signed SSL certificate, upload this to iDRAC.
For each iDRAC to be trusted by the management station, that iDRAC’s SSL certificate must be placed in the management
station’s certificate store. Once the SSL certificate is installed on the management stations, supported browsers can access
iDRAC without certificate warnings.
You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing certificate
for this function. By importing one custom signing certificate into all management stations, all the iDRACs using the custom
signing certificate are trusted. If a custom signing certificate is uploaded when a custom SSL certificate is already in-use, then
the custom SSL certificate is disabled and a one-time auto-generated SSL certificate, signed with the custom signing
certificate, is used. You can download the custom signing certificate (without the private key). You can also delete an existing
custom signing certificate. After deleting the custom signing certificate, iDRAC resets and auto-generates a new self-signed
SSL certificate. If a self-signed certificate is regenerated, then the trust must be re-established between that iDRAC and the
management workstation. Auto-generated SSL certificates are self-signed and have an expiration date of seven years and one
day and a start date of one day in the past (for different time zone settings on management stations and the iDRAC).
The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the Common
Name when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a
wildcard certificate. If a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that
you can upload for multiple iDRACs and all the iDRACs are trusted by the supported browsers. While connecting to iDRAC Web
interface using a supported browser that supports a wildcard certificate, the iDRAC is trusted by the browser. While launching
viewers, the iDRACs are trusted by the viewer clients.
106
Configuring iDRAC