2018/03/06

Automatically renew internal SSL certificates (DRAC and Windows)

A bunch of our DRACs have certificates that are about to expire.  I know I could go in and generate a new CSR in each web interface, copy them into the AD Certificate Services, and upload the results (that's how the previous admin did it) but.... I'm lazy.

Plus, new certificates generated that way still give a big warning since Chrome 58-- they don't have the X509v3 SAN extension which is now mandatory apparently.


C:\> "\Program Files\Dell\SysMgt\rac5\racadm.exe" -r dracname.dom.ain -u root -p redacted sslcsrgen -g -f dracname.dom.ain.csr
Security Alert: Certificate is invalid - Name on Certificate is invalid or does not match site name
Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
CSR generated and downloaded from RAC successfully

C:\> certreq -submit -attrib "san:dns=dracname.dom.ain\nCertificateTemplate: WebServer" dracname.dom.ain.csr dracname.dom.ain.crt
Active Directory Enrollment Policy
  {BFF41397-4CCE-41B5-AD8E-A029B2C2353B}
  ldap:
RequestId: 104238
RequestId: "104238"
Certificate retrieved(Issued) Issued  The certificate validity period will be shorter than the WebServer Certificate Tem
plate specifies, because the template validity period is longer than the maximum certificate validity period allowed by 
the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validit
y period.

C:\> "\Program Files\Dell\SysMgt\rac5\racadm.exe" -r dracname.dom.ain -u root -p redacted sslcertupload -t 1 -f dracname.dom.ain.crt
Security Alert: Certificate is invalid - Name on Certificate is invalid or does not match site name
Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.
Certificate successfully uploaded to the RAC. The RAC will now
reset to enable the new certificate and may be offline temporarily.

C:\> "\Program Files\Dell\SysMgt\rac5\racadm.exe" -r dracname.dom.ain -u root -p redacted sslcertview -t 1
Serial Number            : redacted

Subject Information:
Country Code (CC)        : AU
State (S)                : Some-State
Locality (L)             : MyTown
Organization (O)         : Internet Widgits Pty Ltd
Organizational Unit (OU) : World Wide Web Pty Ltd
Common Name (CN)         : *.dom.ain

Issuer Information:
Common Name (CN)         : AD DOM.AIN Root Trust CA

Valid From               : Mar  6 16:01:02 2018 GMT
Valid To                 : Nov  6 15:13:19 2019 GMT

And the warning goes away for another year. And it took me less time to figure out how to automate it (throw the above commands into a .bat) than it would have to loop through all of them with a browser!

--Joe