Users Guide
plugins such as vConsole with this level of encryption. For information about installing the policy files, see the
documentation for Java.
iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate
with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is
recognized in the Information Technology industry for meeting high standards of reliable screening, identification, and other
important security criteria. Examples of CAs include Thawte and VeriSign. To initiate the process of obtaining a CA-signed
certificate, use either iDRAC Web interface or RACADM interface to generate a Certificate Signing Request (CSR) with your
company’s information. Then, submit the generated CSR to a CA such as VeriSign or Thawte. The CA can be a root CA or an
intermediate CA. After you receive the CA-signed SSL certificate, upload this to iDRAC.
For each iDRAC to be trusted by the management station, that iDRAC’s SSL certificate must be placed in the management
station’s certificate store. Once the SSL certificate is installed on the management stations, supported browsers can access
iDRAC without certificate warnings.
NOTE: While accessing iDRAC web interface through FQDN, Mozilla Firefox may not recognize the SSL certificate as
trusted. To continue, add the certificate to the trusted list.
You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing certificate
for this function. By importing one custom signing certificate into all management stations, all the iDRACs using the custom
signing certificate are trusted. If a custom signing certificate is uploaded when a custom SSL certificate is already in-use, then
the custom SSL certificate is disabled and a one-time auto-generated SSL certificate, signed with the custom signing
certificate, is used. You can download the custom signing certificate (without the private key). You can also delete an existing
custom signing certificate. After deleting the custom signing certificate, iDRAC resets and auto-generates a new self-signed
SSL certificate. If a self-signed certificate is regenerated, then the trust must be re-established between that iDRAC and the
management workstation. Auto-generated SSL certificates are self-signed and have an expiration date of seven years and one
day and a start date of one day in the past (for different time zone settings on management stations and the iDRAC).
The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the Common
Name when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a
wildcard certificate. If a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that
you can upload for multiple iDRACs and all the iDRACs are trusted by the supported browsers. While connecting to iDRAC Web
interface using a supported browser that supports a wildcard certificate, the iDRAC is trusted by the browser. While launching
viewers, the iDRACs are trusted by the viewer clients.
Related concepts
Generating a new certificate signing request on page 95
Uploading server certificate on page 96
Viewing server certificate on page 97
Uploading custom signing certificate on page 97
Downloading custom SSL certificate signing certificate on page 97
Deleting custom SSL certificate signing certificate on page 98
Generating a new certificate signing request
A CSR is a digital request to a Certificate Authority (CA) for a SSL server certificate. SSL server certificates allow clients of the
server to trust the identity of the server and to negotiate an encrypted session with the server.
After the CA receives a CSR, they review and verify the information the CSR contains. If the applicant meets the CA’s security
standards, the CA issues a digitally-signed SSL server certificate that uniquely identifies the applicant’s server when it
establishes SSL connections with browsers running on management stations.
After the CA approves the CSR and issues the SSL server certificate, it can be uploaded to iDRAC. The information used to
generate the CSR, stored on the iDRAC firmware, must match the information contained in the SSL server certificate, that is,
the certificate must have been generated using the CSR created by iDRAC.
Related concepts
SSL server certificates on page 94
Generating CSR using web interface
To generate a new CSR:
Configuring iDRAC
95