Skip to main content
Start a Conversation

Solved!

Go to Solution

user_a

1 Rookie

 • 

11 Posts

98

August 4th, 2025 10:18

iDRAC: Upload & Manage CA Certificates

Hey,

What are my options to upload (and manage) CA certificates in iDRAC - in my case for the use of secure syslog?

What I found so far: 

Upload button under "System Settings / Alert Configuration / Remote Syslog Settings / SSL/TLS Certificate Signing Request", but this is a manual action on a single device.

How can I deploy our CA certificate to multiple machines? I'm thinking of Server Configuration Profile or Compliance Policy. I was looking through the server configuration XML settings, but didn't find any property.

Thanks for help!

DELL-Charles R

Moderator

 • 

4.6K Posts

August 4th, 2025 19:04

I checked with Systems Management:

 

This is the command:

 

racadm sslcertupload -t ##

 

Page 134

https://dl.dell.com/content/manual33860635-integrated-dell-remote-access-controller-9-racadm-cli-guide.pdf?language=en-us

 

But there is not a Server Config Profile attribute for that, so OME can't do it.

DELL-Charles R

Moderator

 • 

4.6K Posts

August 4th, 2025 15:15

Hello,

 

You're correct that uploading a CA certificate for secure syslog in iDRAC is typically done manually via the web interface under:

System Settings > Alert Configuration > Remote Syslog Settings > SSL/TLS Certificate Signing Request

However, for bulk deployment across multiple servers, Dell provides more scalable options using Server Configuration Profiles (SCPs) and Compliance Policies, though with limitations.

 

Manual Upload (Single Device)

  • Upload the CA certificate manually via the iDRAC web UI.
  • This is the only officially supported method for configuring TLS-based Remote Syslog on a per-device basis.
  • iDRAC supports one secure syslog target and uses TCP port 6514 for encrypted syslog .

Dell iDRAC9 Security Configuration Guide – Remote Syslog with TLS

https://www.dell.com/support/manuals/en-us/idrac9-lifecycle-controller-v7.x-series/idrac9_scg_tta/remote-syslog-with-tls?guid=guid-6259e61f-c3c5-4583-a960-a8446609b026

 

 

Bulk Deployment Options

1. Server Configuration Profile (SCP)

 

 

2. Compliance Policies in OpenManage Enterprise

  • Compliance policies can enforce configuration settings across multiple servers.
  • However, certificate management is not currently supported for syslog TLS in compliance policies.
  • These policies are more effective for BIOS, RAID, and network settings.

 

3. RACADM CLI or Redfish API

  • RACADM does not currently support uploading CA certificates for syslog TLS.
  • Redfish API support for certificate management is limited and does not include syslog TLS certificates.

 

 

 

Best Practice

  • Use a central certificate authority to generate a single trusted CA cert.
  • Upload manually to each iDRAC using the web UI.
  • Document the process and automate via browser automation tools or Dell’s scripting interfaces if needed.

We don't do scripting on the forum but this may be helpful:

iDRAC9 Redfish API

https://developer.dell.com/apis/2978/versions/7.xx/docs/0WhatsNew.md

 

user_a

1 Rookie

 • 

11 Posts

August 4th, 2025 18:33

@DELL-Charles R

Yeah, that were also my findings to do it manually at the end. Luckily RootCA certs are valid for 10 years or more ;)

At some point I had the hope to find a proper solution... but no.

I was uploading our RootCA cert via the GUI in the Secure Syslog settings menu. After that I exported the server config to XML. Great, there were empty enties like 
  <Attribute Name="SecurityCertificate.1#CertData"></Attribute>
  <Attribute Name="SecurityCertificate.1#CertType"></Attribute>

Another line told me 
  <Attribute Name="SecurityCertificate.1#CertificateType">REMOTE_SYSLOG_SERVER</Attribute>


This was obviously the certificate recently uploaded via GUI.

Let's combine it! I took the certificate base64 content, set the type to 'REMOTE_SYSLOG_SERVER' and tried to import it on a second server - failed!

After more research I came across this page:
https://infohub.delltechnologies.com/en-us/l/server-configuration-profiles-reference-guide/certificates-46/

It says the available CertTypes are:
    KMS_SERVER_CA
    SEKM_SSL_CERT
    RSYSLOG_1
    RSYSLOG_2
    DEL_AUTH_HTTPS_1
    DEL_AUTH_HTTPS_2

And starting with iDRAC9 version 6.00.02.00 these additional certificates are now supported for importing:
    LDAP_CA
    SCEP_CA
    RSA_CA
    WEBSERVER_SSL
    BIOS_HTTPS_BOOT_CERT


Great info! But wait, what's again the difference between 'REMOTE_SYSLOG_SERVER' and 'RSYSLOG_1'? And even more questions arised. How do I delete certificates and what happens if storage space SecurityCertificate.1 till SecurityCertificate.15 are in use? Can I overwrite certificates by naming it e.g. SecurityCertificate.3?

In comparision to other competitors, DELL iDRAC and DELL OpenManage Enterprise offer many solutions to different customer needs. But there's far more potential what could be used to satisfy even more use cases!

Was this post helpful?

View All

No Events found!

Top