Categories
Security Windows Server

Install Lets Encrypt SSL Certificate on Windows Server iDRAC

Recently, I’ve been installing Lets Encrypt SSL certificates on all of the network devices on my network. This past week, I’ve been working with Dell iDRAC cards (a remote access card that allows you to manage servers remotely, even when they are powered off) in some of my servers. I got tired of clicking through the SSL warning whenever I would try to access one of my iDRAC cards, so I created a script to replace the self-signed certificate on the card.

1. Install Certify

You’ll need to install Certify on your server to generate certificates. Depending on who your domain registrar is, the setup process will be different. Here’s some documentation to get you started. But you need to use the DNS verification method. The only other configuration change you need to make is to click on the deployment tab, then select the deployment mode “No Deployment”. This will save the certificate to the disk and won’t affect anything else.

2. Download OpenSSL

The easiest way to get a compiled version that you can trust is authentic is to download FileZilla and get it from the program files. After you have the OpenSSL program files, create an OpenSSL program directory at C:\Program Files. Then, copy the program files to C:\Program Files\OpenSSL\

3. Add a Task to Windows Task Scheduler

Save the script below as a .bat file and then create a task in Windows Task Scheduler to run about once a month that will execute the script below.

@echo off

set certDirectory=C:\ProgramData\Certify\certes\assets\pfx\

cd %certDirectory%

:: Remove Old Certificate Files
forfiles /p %certDirectory% /s /m *.* /c "cmd /c Del @path" /d -5

:: Get certificate file name
FOR %%F IN (%certDirectory%*.pfx) DO (
 set filename=%%F
 goto done
)

:done

:: Get certificate files
"C:\Program Files\OpenSSL\openssl.exe" pkcs12 -in %filename% -nocerts -nodes -passin pass: -out  %certDirectory%idrac.key
"C:\Program Files\OpenSSL\openssl.exe" pkcs12 -in %filename% -chain -nokeys -nodes -passin pass: -out  %certDirectory%idrac.cer

:: Install on iDRAC
racadm sslkeyupload -t 1 -f  %certDirectory%idrac.key
racadm sslcertupload -t 1 -f %certDirectory%idrac.cer

:: Restart iDRAC (wont reboot server)
racadm racreset

exit

And that’s it! Your iDRAC card will now use a Lets Encrypt SSL certificate when you access it. Below I included some issues I encountered as well as what I did to fix them.

Notes:

  1. iDRAC cards will only use an RSA SSL certificate.
  2. Make sure that the time your SSL certificate renews and the task scheduled to upload the certificate to the iDRAC is less than 4 days apart. The script will delete anything in C:\ProgramData\Certify\certes\assets\pfx\ that’s older than 5 days.
  3. The script must be run as an admin in order to upload SSL certificates to iDRAC.
  4. Make the scheduled task run as a user that has admin rights.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.