Skip to main content
Start a Conversation

Unsolved

Closed

A

adaugherity

1 Message

332

May 12th, 2023 14:00

iDRAC not accepting ECDSA (P-256) SSL certificate

Current recommendations (e.g. https://wiki.mozilla.org/Security/Server_Side_TLS) are to use ECDSA certificates with P-256 (aka prime256v1, secp256r1)  rather than RSA.  I attempted to install such a certificate and key into an iDRAC 9, and it seems to work at first, but after rebooting, it comes back up with a new self-signed certificate instead of the one I installed.

That is, I followed the documented sslkeyupload, sslcertupload, racreset procedure:

$ racadm -r cluster3-drac.internal -i sslkeyupload -t 1 -f cluster-drac.key
UserName: root
Password:
SSL key successfully uploaded to the RAC.
$ racadm -r cluster3-drac.internal -i sslcertupload -t 1 -f cluster-drac.crt
UserName: root
Password:
DH010: Reset iDRAC to apply new certificate. Until iDRAC is reset, the old
certificate will be active. Reset the iDRAC. The iDRAC can be reset by pressing
the Identify button for 15 seconds. Using the RACADM command line utility, run
"racadm racreset".

At this point, racadm -r cluster3-drac.internal -i sslcertview -t 1 shows the certificate I just uploaded. It is in the valid date range and uses SHA-256 with an EC prime256v1 public key.

However, after a racreset, it is using a brand new self-signed cert instead (notably, not the one used before I uploaded my cert!).  It seems that after rebooting, it is rejecting my certificate for some reason and generating a new one.

This was with iDRAC 9 firmware 5.10.30.00.  I tried updating to the latest 6.10.30.20 but that did not help.  With 6.10.30.20, it actually worked temporarily -- after the sslcertupload step, it said "Web server is restarting to complete the certificate update. Please wait for a few minutes for this process to complete."  And indeed, after a little while, the web server came back up with my cert and all appeared well!  However, after rebooting with racreset (just to make sure), it once again generated a brand new self-signed cert and discarded the one I had just configured.

I know my cert & key are good, as I have tested them with an Apache server.  I have also tested the following certs on the iDRAC:

  • an RSA 2048-bit/SHA-256 cert signed by the same internal CA: works fine
  • a different ECDSA P-256/SHA-256 cert signed by Let's Encrypt: fails the same way (appears to accept it, but generates a new self-signed cert after rebooting)

So it would seem that the iDRAC does not like this type of cert.  Ideally this would be fixed, but it should at least be documented that only RSA certs are currently supported.

No Responses!

Was this post helpful?

View All

No Events found!

Top