2018-02-20

Updating iDRAC SSL Certs through Powershell


One of the things I'm working on at work right now is updating all our iDRACs after Meltdown/Spectre. We had never had the SSL set up, we had just always clicked through the security warning. I got tired of this and decided to setup proper SSL from our enterprise CA,

At first I went to do a manual signing for a multi-year period with a wildcard issued from my enterprise CA, but I decided that automating it with PowerShell would be better, since it would be more dynamic, and scale to more servers.

In this post, I will be talking about setting

  1. generating a Certificate Signing Request (CSR) from the iDRAC,
  2. sign it with an enterprise CA, 
  3. uploads the signed cert to the iDRAC, and  
  4. reloads the iDRAC to apply the new cert




To interface with the iDRAC from the script, I'm using Dell Remote Access Controller Administration (RACADM) CLI, which supports remote access. 

First, you will want to make sure that your iDRAC has Remote RACADM enabled in make sure it is enabled under Network, Services, Remote RACADM in the iDRAC Web UI.  
Configure Remote RACADM through Network, Services, Remote RACADM

Next, we're going to want to run a few test commands with racadm in a fresh powershell prompt and run
& racadm.exe -r 192.168.100.215 -u root -p calvin getsvctag
 This will complain if the SSL certificate is invalid, which is kind of the point of why we are updating it in the first place. So you will probably see output like below


That first line after the certificate warning, is the service tag. I am using -r IP  but -r DNS.Host.Name is equally valid, if there is an entry set up, which I would highly recommend.

The script is divided into a few sections

  1. The Requirements Region - to make sure that we're running with a current version of PowerShell, that we have racadm.exe, and that we have certreq.exe
  2. Settings to connect to the iDRAC - the IP/hostname, and the credentials to connect to it
  3. CSR Fields
  4. Applying DNS and CSR settings to iDRAC
  5. Generating CSR
  6. Signing CSR
  7. Uploading signed certificate to iDRAC and reloading to apply
At first, I was applying the settings with 8+ separate racadm calls, but this was quite time consuming to wait for each to finish. Instead I switched to building a config file and applying that for all the CSR settings at once. 

You can pull a cfg or config file of what settings an iDRAC has with 
& racadm.exe -r 192.168.100.215 -u root -p calvin get -f $ENV:Temp\file.cfg
 and there are some interesting line-endings.

This line ending pattern is interesting, but in my testing it was a red-herring and it was perfectly happy if I just made my config file with CR-LF Line endings. 

However, I did find that I needed to have my config file I created ANSI encoded. I did this by specifying -Encoding ASCII  when I wrote my string with Out-File



No comments:

Post a Comment

Syncing MFA Office Phone information with extensions from AD to Azure AD / Office 365

In anticipation of rolling out MFA to our Office 365 users I was looking at the setup page ( aka.ms/MFASetup ) and I noticed that the Offic...