Hello. My name is Ted. I'm a senior engineer in the Systems Management group with Dell Technologies. In this video, I'm going to be going over IRA certificates specifically for the web server. This is the white paper that we have for managing IRA certificates. It describes three main ways to manage certificates for IRA and cmc's.
The first type is the self sign certificate, which is the default certificate type that the I direct ships with from the factory. The advantage is this are you do not have to maintain a certificate authority and the certificates themselves are generated automatically by the IRA.
A disadvantage would be that the certificate for each Ira has to be added to the trusted certificate store on each management station because each Ira has its own certificate authority which has to be trusted to regenerate the self science certificate. You use the rack item command SSL reset CFG.
There is a custom signed SSL certificate option which leverages a signing certificate created by your own certificate authority. You export the certificate in P FX format with private key to use on each Ira. This is not a common use. The advantages of a custom sign certificate would be, you only have to trust one certificate authority for all your eye tracks.
It's possible that using your in-house certificate authority is already trusted on all your management stations. Certificates are also auto generated by the IRA. The disadvantage to this is that you have to maintain your own certificate authority. For this workflow. You have to export the root certificate authority with the private key in P FX format from your Ira.
You then go to the IRA settings services, web server, custom SSL signing certificate and import the private key for your certificate authority into the IRA, which will then be used to sign all certificates that the IRA generates. The third most common option is for a certificate authority as signed SSL certificate using a built-in signing request submitted to your certificate authority to create the web server certificate.
The advantages of this are that you can use any commercial certificate authority and you only have to have one certificate authority trusted for all your eye tracks. Likely if using a commercial C A, this is already trusted by your management stations.
The disadvantage to this would be to have to purchase commercial certificates or to maintain your own certificate authority. Let's go over a couple of these options. Here in the IRA, we can view the certificate that we are currently using and see this was issued to the IRA by the IRA.
We can see the certificate details that we're using in shot 2 56 with 2048 bits for our public key to generate a custom sign certificate from the Ira.
Gonna go ahead and log in and proceed to the appropriate setting here under Ira settings services. We have the web server option where we can create a signing request here in the Ira providing common name, country, locality, organization, ou state email and any subject alternative name that we need for our certificate.
It's important to note that newer browsers require the subject alternative name or they will still give you a certificate warning when accessing your Ira. Once you fill out this information, you will generate the CS R. It will download the file to your system which you can then take to your certificate authority and get signed to upload again.
At this point, you can upload a custom certificate with the P FX file. It's important to note that this only works on the Ira 4.40 0.0 0.0 or newer firmware. Here is the option to upload a custom signing certificate where you extract the private key from your certificate authority and then give it to your Ira to sign its own certificates, thereby allowing your management station to trust any certificates issued by your internal certificate authority.
Now, I'm going to go over this process using rack atom before the IRA 4.40 0.0 0.0. Firmware. You are required to separate the key pair from the certificate directly here. You can see I have uploaded the P FX file to this location where I'm using open SSL to split this.
We first are required to use the no search option to extract the key from this file. I'm going to provide it the password for the P FX and then I'm going to enter a new pass phrase for the pen itself. Now that we've extracted the key, we must put it in a format so the Ira can accept it. I'm also gonna have to provide that new pen pass phrase that I just used.
When extracting the key file from the P FX. This command will then extract the pen file, which is the certificate directly from the PK CS. I must also provide the key password for that. Now that I have my Ira wild card key and files, I can upload those to the IRA directly using rack atom.
I've set up a powershell window here so that I don't have to type in user names or passwords or the IRA IP address and just use this as such. First, I'm going to upload the certificate. Now I need to provide it the private key. Now we need to reset the IRA so the new certificate can take effect.
This will take a moment once the IRA loads the new certificate, we can compare it with the current certificate that we have installed now that the IRA is back up we can view the certificate and see that this was issued by my certificate authority as a wildcard certificate.
Additional things that we can do, first, I'm going to do is clear the SSL certificate again, since we're resetting the SSL certificate, it's important to reset the IRA so the new certificate can take effect. Now, we're back to our original certificate now because the sidetrack is specifically version 4.40 0.0 0.0.
I can also use this command to upload the certificate directly without splitting the key and the certificate apart. This is type 16 and is also required to provide the password for extracting the key from the pen. As in other instances, I have to reset the eye track for the new certificate to take effect.
Now that the IRA is back up, we can see that our wild card certificate is installed successfully. As a note, I'm seeing the security warning here because I'm not using an FQDN. It is dot dot local. If I were using the FQDN of the IRA with that domain name, I would not be seeing this certificate warning again.
I'm going to reset the I direct defaults so that I can show you how to generate a CS R using rank atom. Now that we're back to the original certificate, I'm gonna go ahead and show you how we can create a custom CS R. Here are the commands that I'm going to run for creating a custom CS R with this.
I'm going to update these fields, generate a new CS R then upload it to my certificate authority for signing. I've created this little powershell script to display the fields, fill them out and then display them again before I generate the signing request. Now that the values are fully populated.
I'm going to generate a CS R to have my certificate authority sign it when using my CS R for this with my certificate authority, I request a certificate and submit a request with the base 64 encoded information that was provided. I have to choose a web server certificate and then it's important to choose base 64 encoded and download the entire certificate chain.
Now that the new certificate is uploaded, we must reset the IRA as well for the new certificate to take effect. Now that the certificate is uploaded, we can see that it was signed by my certificate authority as well as we can confirm the details that we are now using a 40 96 bit RS er S A key again on the IRA setting services page under our web server.
I am gonna choose SSL TLS custom signing certificate. Now that my custom signing certificate is successfully installed, I can reset the IRA now for the new certificate to take effect where the IRA will regenerate a self sign certificate using the private keys that I've just uploaded to it from my certificate authority.
Now that our IRA is back up. We can see that it was self generated and was issued by our certificate authority because it is now using the certificate signing certificate that we have provided. If we no longer want to use the custom signing certificate, we can delete the signing certificate from this interface here.
The workflow process of this one certificate is removed, it will automatically regenerate a new self signed certificate and then ask me if I want to reset the IRA for that new certificate to take effect. Now that our IRA is back up, we can check our certificate and see that it is again, return to the self issued certificate.
We can also verify this with a command to view the SSL certificate that concludes my video on IRA certificates. Thank you so much for watching. I hope you have a great day.
