Can a DRAC5 accept a self signed SSL certificate?

Kaj Niemi kajtzu at basen.net
Sat Apr 12 10:10:55 CDT 2008 

Hi,


We have a similar setup. It does work great (much better than what the  
HP ILO cert system works) and I haven't had any issues with the DRACs  
accepting our signed certs. The DRAC generates PEM CSRs and expects  
the signed certs in PEM format as well.

The certs we issue for DRACs look like the one below (generated today  
for a new system).

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 48 (0x30)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: CN=BaseN Corporation FI CA, O=BaseN, C=FI
         Validity
             Not Before: Apr 12 14:45:12 2008 GMT
             Not After : Apr 11 14:45:12 2013 GMT
         Subject: C=FI, ST=-, L=Espoo, O=BaseN Corporation,  
OU=Technology, CN=[BMC FQDN]
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     [modulus]
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Key Usage:
                 Digital Signature, Non Repudiation, Key Encipherment
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
             Netscape CA Revocation Url:
                 http://ca.fi.basen.net/crl-v1.crl
             X509v3 Subject Key Identifier:
                 FD:F3:93:82:AB:71:4F:24:FC:46:E9:6C:FF:DC:2B: 
73:94:6F:D0:51
             X509v3 Authority Key Identifier:
                 keyid:7B:AB:AA:6D:43:E4:B6:26:5C:03:F1:2C:3B: 
35:18:60:DC:DD:AE:F9
                 DirName:/C=FI/O=BaseN/OU=Technology/CN=BaseN  
Corporation Root CA 1
                 serial:01

             Authority Information Access:
                 CA Issuers - URI:http://ca.fi.basen.net/ca.crt

             X509v3 CRL Distribution Points:
                 URI:http://ca.fi.basen.net/crl-v2.crl

             X509v3 Certificate Policies:
                 Policy: 1.1.1.1.1
                   CPS: http://ca.fi.basen.net/CPS
                   User Notice:
                     Explicit Text: Limited Liability, see http://ca.fi.basen.net/CP

             X509v3 Issuer Alternative Name:
                 email:ca at fi.basen.net
     Signature Algorithm: sha1WithRSAEncryption
         [signature]


There seem to be some notable differences between our and your  
certificates:

1. Your certificate states that it is a CA certificate. My  
understanding of X.509 is that the basic constraints critical  
extension specifiying CA is only needed for the CA certificate itself  
and not for the certificates signed by the CA (please refer to RFC  
3280 section 4.2.1.10). I am not sure if that is the problem or not as  
we do not insert that section in end system certificates.

2. We fill in the Key Usage and Extended Key Usage sections for the  
type of certificate we use

I'm not sure if you're using the web gui or command line (racadm) to  
upload the certificate but in my experience Dell tools seem to be a  
bit more verbose on the command line about their errors.


:)


On Apr 12, 2008, at 00:42, W Sanders wrote:

> I have an internal CA I have set up to allow users to accept one
> internal trusted cert and then all browsers certs will work when  
> signed
> with that cert, and users won't be pestered with "Accept Cert?"
> messages.
>
> This procedure works fine with Apache but I have not been able to
> generate a certificate that the DRAC5 accepts, I get "Attempted to
> upload an invalid certificate" every time,
>
> My cert is generated with this command: openssl x509 -req -in csr.txt
> -out  DRACcert.pem -md5 -extfile ./CAextfile -signkey private/ 
> cakey.pem
> -days 3650
>
> csr.txt is the CSR generated by the DRAC and my CA private key is
> "private/cakey.pem". The extfile contains the extensions
> basicConstraints=critical,CA:TRUE which are required by Apache, but  
> the
> DRAC also rejects the cert if these extensions are omitted.
>
> So, Has anyone ever gotten the DRAC to accept a self-signed cert?
>
> Thanks
>
> -Wiley Sanders
> http://wsanders.net
>
> Parameters of the generated cert are as follows (output of "openssl
> x509 -in  DRACcert.pem -text"):
>
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number:
>            9a:2d:7d:38:11:41:f1:99
>        Signature Algorithm: md5WithRSAEncryption
>        Issuer: [CN goes here, should not matter.]
>        Validity
>            Not Before: Apr 11 21:10:08 2008 GMT
>            Not After : Apr  9 21:10:08 2018 GMT
>        Subject: [CN goes here, should not matter]...
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    ...
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            X509v3 Basic Constraints: critical
>                CA:TRUE
>    Signature Algorithm: md5WithRSAEncryption
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Linux-PowerEdge mailing list
> Linux-PowerEdge at dell.com
> http://lists.us.dell.com/mailman/listinfo/linux-poweredge
> Please read the FAQ at http://lists.us.dell.com/faq




HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3811 bytes
Desc: not available
Url : http://lists.us.dell.com/pipermail/linux-poweredge/attachments/20080412/6bd6cf76/attachment.p7s

More information about the Linux-PowerEdge mailing list