Beginning with the iDRAC6, it has been possible to create a certificate leveraging the public key infrastructure (PKI) and import certificates into the iDRAC. It allows for more control over certificate creation process and allows for automation of these processes. Lastly, this process can be leveraged to create and import a wildcard certificate into the iDRAC. From a security stand-point, the use of wildcards is not best practice. However, the process used to create any external certificate can also be leveraged for a wildcard certificate.
In order to import the SSL certificate, you need a private key, and a signed certificate for that key. Certificates can be third party provided or auto-generated. Here is a rudimentary example of the certificate creation process using OpenSSL in a windows environment:
OpenSSL Private key and certificate for use as Certificate Authority
The installation must function as a Certificate Authority. This allows us to issue or sign a certificate request. Here are those steps:
Creating the CA private key:
You must provide a password for the private key. This is needed later, so do remember this.
Creating the CA Certificate leveraging the created key:
You are prompted for details about the certificate. These include the common name and the location data. The most important field here is the Common Name. This is going to the identity of the CA, and is reflected in the certificate. Typically, this must match the name by which is accessing the system (DNS hostname for instance). This field is highlighted in the screenshot below.
Now that a private key and certificate are available to use for a Certificate Authority, we can create a private key and CSR for the iDRAC and then sign this request leveraging our Certificate Authority certificate.
Creating the private key, Certificate Signing Request, and Certificate for the iDRAC web services
For the iDRAC, we must have a key and a signed certificate to import into the web services. We can leverage OpenSSL to achieve these goals.
First, we must create a private key and a certificate signing request (CSR) that we can then sign leveraging the CA certificate. The key and CSR can be created in the same step:
You have to fill out the certificate details. The common name for this certificate should match the name by which we are accessing the iDRAC. Highlighted below
Also of note, you must include a passphrase for the private key that is being created. Highlighted below
We now have the necessary components to upload to the iDRAC. The first of these is the private key (idrac_web.key) and the second of these is the signed certificate (idrac_web.cer).
Upload certificate in iDRAC
With a private key and certificate pair, we can upload the key and certificate to the iDRAC.
Note: For the following steps, I copied the private key and the certificate to the root of the C drive for ease of access and to decrease the length of the commands.
First, we must upload the certificate:
I leveraged remote racadm command with the interactive option
After the web interface has come back, we must verify our certificate. This can be done by accessing the web interface in any browser, and then inspecting the certificate. You should see that the certificate reflects the configured common name and is issued by the common name configured in your CA:
その他の情報
For iDRAC6, iDRAC7 and iDRAC8 certificate issues have a look at this article: