Login Type Certificate Type How to ObtainSHA-2 certificates are also supported.Local User login SSL Certificate Generate a CSR and get it signed from atrusted CANOTE: iDRAC ships with a defaultself-signed SSL server certificate.The iDRAC Web server, VirtualMedia, and Virtual Console use thiscertificate.SHA-2 certificates are also supported.Related linksSSL server certificatesGenerating a new certificate signing requestSSL server certificatesiDRAC includes a Web server that is configured to use the industry-standard SSL security protocol to transfer encrypted data overa network. Built upon asymmetric encryption technology, SSL is widely accepted for providing authenticated and encryptedcommunication between clients and servers to prevent eavesdropping across a network.An SSL-enabled system can perform the following tasks:• Authenticate itself to an SSL-enabled client• Allow the two systems to establish an encrypted connectionThe encryption process provides a high level of data protection. iDRAC employs the 128-bit SSL encryption standard, the mostsecure form of encryption generally available for Internet browsers in North America.iDRAC Web server has a Dell self-signed unique SSL digital certificate by default. You can replace the default SSL certificate with acertificate signed by a well-known Certificate Authority (CA). A Certificate Authority is a business entity that is recognized in theInformation Technology industry for meeting high standards of reliable screening, identification, and other important security criteria.Examples of CAs include Thawte and VeriSign. To initiate the process of obtaining a CA-signed certificate, use either iDRAC Webinterface or RACADM interface to generate a Certificate Signing Request (CSR) with your company’s information. Then, submit thegenerated CSR to a CA such as VeriSign or Thawte. The CA can be a root CA or an intermediate CA. After you receive the CA-signed SSL certificate, upload this to iDRAC.For each iDRAC to be trusted by the management station, that iDRAC’s SSL certificate must be placed in the management station’scertificate store. Once the SSL certificate is installed on the management stations, supported browsers can access iDRAC withoutcertificate warnings.You can also upload a custom signing certificate to sign the SSL certificate, rather than relying on the default signing certificate forthis function. By importing one custom signing certificate into all management stations, all the iDRACs using the custom signingcertificate are trusted. If a custom signing certificate is uploaded when a custom SSL certificate is already in-use, then the customSSL certificate is disabled and a one-time auto-generated SSL certificate, signed with the custom signing certificate, is used. Youcan download the custom signing certificate (without the private key). You can also delete an existing custom signing certificate.After deleting the custom signing certificate, iDRAC resets and auto-generates a new self-signed SSL certificate. If a self-signedcertificate is regenerated, then the trust must be re-established between that iDRAC and the management workstation. Auto-generated SSL certificates are self-signed and have an expiration date of seven years and one day and a start date of one day in thepast (for different time zone settings on management stations and the iDRAC).The iDRAC Web server SSL certificate supports the asterisk character (*) as part of the left-most component of the CommonName when generating a Certificate Signing Request (CSR). For example, *.qa.com, or *.company.qa.com. This is called a wildcardcertificate. If a wildcard CSR is generated outside of iDRAC, you can have a signed single wildcard SSL certificate that you can94