Dell iDrac – Install SSL Certificate using Racadm

Tim

iDrac modules come pre-loaded with a self-signed certificate. This article details how to replace the self-signed certificate with a custom certificate from a Trusted Root CA.

Best Practice

While the iDrac provides a ‘download CSR’ option to speed up generating a key/CSR, it does not include a SAN (Subject Alternative Name), which means modern browsers will throw an ‘Invalid certificate’ error when accessing the web UI.

The solution is to generate a key + certificate outside of iDrac, sign it and upload it: https://www.dell.com/community/Systems-Management-General/iDrac-8-SSL-Certificate-Does-Not-Contain-Subject-Alternative/m-p/6061906#M25917

Create a new key and CSR

For instructions on generating a new CSR with a SAN, see: https://scriptech.io/openssl-generate-a-new-key/

Once your key and CSR have been created and you have signed the certificate, download the certificate in the base64/pem format.

Uploading the key and certificate to iDrac

At first I tried combining the private key (.key) and certificate (.cer) into a single .pem and uploading using the web UI, but I kept getting an error that said the certificate I was attempting to upload was invalid.

An alternative command-line utility for managing Dell’s iDrac is racadm, which is included as part of their OpenManage tools package, which you can download below:

https://www.dell.com/support/article/us/en/04/sln311304/racadm-command-line-interface-for-drac?lang=en

Install the OpenManage tools.

Open an administrative PowerShell to C:\Program Files\dell\SysMgt\rac5

Run the following commands, pointing at the iDrac address and the .key and .cer.

Upload Key

.\racadm.exe -r servername.idrac.domain.com -u root -p <password> sslkeyupload -t 1 -f c:\path\to\servername.idrac.domain.com.pem.key

SSL key successfully uploaded to the RAC.

Upload Certificate

.\racadm.exe -r servername.idrac.domain.com -u root -p <password> sslcertupload -t 1 -f c:\path\to\servername.idrac.domain.com.pem.cer

DH010: Reset iDRAC to apply new certificate. Until iDRAC is reset, the old certificate will be active. Reset the iDRAC. The iDRAC can be reset by pressing the Identify button for 15 seconds. Using the RACADM command line utility, run "racadm racreset".

Reset the iDrac (as prompted)

.\racadm.exe -r servername.idrac.domain.com -u root -p <password> racreset

It may take a few minutes for the iDrac to come online again.

Once the iDrac came back online, I opened a new browser window and verified the certificate was working as expected: