I have a problem that I think can only be really solved via DRAC software enhancement but I thought I'd ask anyway...
First I'll start by outlining my requirements: 1) The SSL cert on the DRAC must be signed by a trusted authority (in this case, an internal US government CA) ; i.e. not self-signed 2) TLS servers MUST provide the chain ( per RFC5246 <https://tools.ietf.org/html/rfc5246> ) 3) Occasionally the chain must be updated, independently from the server cert (CA cert updates) As far as I can tell, the ONLY way to get the DRAC to provide the TLS chain along with the cert is to append the chain to the server cert before uploading it to the DRAC. Correct? This seems to work for me; i.e. the DRAC accepts the cert as valid, and it provides the entire chain when connecting. However, 3) is problematic. Recently, one of the CAs in my chain released an update to their cert. I verified that the new CA cert has the same Subject Key Identifier (SKI) and Authority Key Identifier (AKI) as the previous cert. So I updated my text chain file (server cert, plus CA chain appended) and attempted to upload it to the DRAC (both via the WebUI, and via racadm sslcertupload) However, the DRAC claims the certificate is invalid. I also tried simply uploading the server's cert ONLY (no chain appended) -- this *also* failed with the same error (invalid cert). I'm *guessing* that the DRAC only allows you to upload a server cert *after* first generating a CSR. However, in this case, I don't need a new cert -- the old one is still valid. So there's no reason to generate a CSR (and in fact, I'm not sure my internal CA folks will sign a new cert under these circumstances). So again, what I need is a way to update the CA chain without changing the server cert. Is that possible?
_______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
