Bumping the Certificate Signing Request (CSR) key length to 2048 bits requires the use of the racadm.exe utility: there is no way to change the CSR key length from the iDRAC UI, at least not in version 7.
Here are the steps you'll need to automate the generation of CSRs for all new servers that identify themselves as Dell.
Changing the CSR cryptographic key length size
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048
Changing the CSR Common Name
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrCommonName "dellServer.myCloud.local"
Changing the CSR Organisation Name
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrOrganizationName "BURGER BURGER BURGER Pty Ltd"
Changing the CSR Organization Unit
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrOrganizationUnit "Security Operations"
Changing the CSR Locality
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrLocalityName "Sydney"
Changing the CSR State
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrStateName "NSW"
Changing the CSR Country
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrCountryCode "AU"
Changing the CSR e-mail address
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" config -g cfgRacSecurity -o cfgRacSecCsrEmailAddr "pki@burgerburgerburger.com"
Resetting the iDRAC unit
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" racreset soft
Generating the CSR
racadm.exe -r dellServer.myCloud.local -u "DRAC_USERNAME" -p "DRAC_PASSWORD" sslcsrgen -g -f "C:\temp\dellServer.mycloud.local.csr"
Once you've approved the CSR, you'll get a nice minted certificate you can use to eliminate those pesky iDRAC errors. It should look something like this (if you're using Chrome on OSX)
I've blacked out the Issuing CA details, but all the details in the certificate Subject Name match with the script above. |
Some other areas that you may want to automate in your environment include
- Configuration of SNMP (for hardware alerting)
- Uploading the certificate
- Renaming the default iDRAC user account and setting a strong password
- Disabling features that are not required
- Changing the default IPMI key
Remember, once you've automated it for one server, the next 1000 servers are easy!
One caveat: I think iDRAC is unstable or has a memory leak: generating a Certificate Signing Request (CSR) only works reliably if you reset the iDRAC beforehand. Once I added this step in, the CSR generation process became more reliable.
One caveat: I think iDRAC is unstable or has a memory leak: generating a Certificate Signing Request (CSR) only works reliably if you reset the iDRAC beforehand. Once I added this step in, the CSR generation process became more reliable.