Generating A New Certificate Signing Request - Dell iDRAC7 User Manual

An SSL-enabled system can perform the following tasks:
• Authenticate itself to an SSL-enabled client
• Allow the two systems to establish an encrypted connection
The encryption process provides a high level of data protection. iDRAC7 employs the 128-bit SSL encryption standard,
the most secure form of encryption generally available for Internet browsers in North America.
iDRAC7 Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL
certificate with a certificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business
entity that is recognized in the Information Technology industry for meeting high standards of reliable screening,
identification, and other important security criteria. Examples of CAs include Thawte and VeriSign. To initiate the
process of obtaining a CA-signed certificate, use either iDRAC7 Web interface or RACADM interface to generate a
Certificate Signing Request (CSR) with your company's information. Then, submit the generated CSR to a CA such as
VeriSign or Thawte. The CA can be a root CA or an intermediate CA. After you receive the CA-signed SSL certificate,
upload this to iDRAC.
For each iDRAC to be trusted by the management station, that iDRAC's SSL certificate must be placed in the
management station's certificate store. Once the SSL certificate is installed on the management stations, supported
browsers can access iDRAC without certificate warnings.
You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing
certificate for this function. By importing one custom signing certificate into all management stations, all the iDRACs
using the custom signing certificate are trusted. If a custom signing certificate is uploaded when a custom SSL
certificate is already in-use, then the custom SSL certificate is disabled and a one-time auto-generated SSL certificate,
signed with the custom signing certificate, is used. You can download the custom signing certificate (without the private
key). You can also delete an existing custom signing certificate. After deleting the custom signing certificate, iDRAC
resets and auto-generates a new self-signed SSL certificate. If a self-signed certificate is regenerated, then the trust
must be re-established between that iDRAC and the management workstation. Auto-generated SSL certificates are self-
signed and have an expiration date of seven years and one day and a start date of one day in the past (for different time
zone settings on management stations and the iDRAC).
The iDRAC7 Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the
Common Name when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This
is called a wildcard certificate. If a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard
SSL certificate that you can upload for multiple iDRACs and all the iDRACs are trusted by the supported browsers. While
connecting to iDRAC Web interface using a supported browser that supports a wildcard certificate, the iDRAC is trusted
by the browser. While launching viewers, the iDRACs are trusted by the viewer clients.
Related Links

Generating a New Certificate Signing Request

Uploading Server Certificate
Viewing Server Certificate
Uploading Custom Signing Certificate
Downloading Custom SSL Certificate Signing Certificate
Deleting Custom SSL Certificate Signing Certificate
Generating a New Certificate Signing Request
A CSR is a digital request to a Certificate Authority (CA) for a SSL server certificate. SSL server certificates allow clients
of the server to trust the identity of the server and to negotiate an encrypted session with the server.
After the CA receives a CSR, they review and verify the information the CSR contains. If the applicant meets the CA's
security standards, the CA issues a digitally-signed SSL server certificate that uniquely identifies the applicant's server
when it establishes SSL connections with browsers running on management stations.
84