Created
February 20, 2018 05:51
-
-
Save PsychoData/dc48c08efb34a3d7cd7383bf77e5d868 to your computer and use it in GitHub Desktop.
A Script to generate, sign. and upload an SSL cert to an Dell iDRAC for http://www.contoso.one/2018/02/updating-idrac-ssl-certs-through.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 5 | |
| #region Requirements | |
| #Make sure you have DRAC tools installed, including racadm https://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=K7F2N | |
| If (!$(get-command racadm.exe -ErrorAction SilentlyContinue)) {Write-Host "Exiting, racadm does not exist"; Exit } | |
| If (!$(get-command certreq.exe -ErrorAction SilentlyContinue)) {Write-Host "Exiting, certreq does not exist. Please install Certificate services tools."; Exit } | |
| #endregion | |
| $IP = '192.168.100.215' #Hostname also works if DNS is already setup | |
| $idraccred = Get-Credential -Message "Please provide iDrac Login for $IP" | |
| $idracuser = $idraccred.GetNetworkCredential().UserName | |
| $idracpass = $idraccred.GetNetworkCredential().Password | |
| $svcTag = $(& racadm.exe -r $IP -u $idracuser -p $idracpass getsvctag ).trim() -replace '[^a-zA-Z0-9]', '' #Get output, remove all spaces and smash together all letters and numbers | |
| $svcTag = ($svcTag -match "^([A-Z0-9]{7})$")[-1] #Match each grouping of seven letters and numbers (like a service tag) and take the last one from the end, which should always be the service tag | |
| $idracName = "idrac-$svcTag" | |
| $domName = 'domain.local' | |
| $CAname = 'CA.domain.local\CA1-CA' | |
| $CSRContactEmail = 'IT@contoso.one' | |
| $CSROrgname = 'Consoto One' | |
| $CsrCountryCode = 'US' | |
| $csrLocality = 'Asheville' | |
| $csrState = 'NC' | |
| #Not really needed, but I'll set them to keep everything neat | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.NIC.DNSRacName $idracName | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.NIC.DNSDomainName $domName | |
| #Setup CSR Fields | |
| $idracoptions = @" | |
| [iDRAC.Security] | |
| CsrCommonName=$idracName.$domName | |
| CsrCountryCode=$CsrCountryCode | |
| CsrEmailAddr=$CSRContactEmail | |
| CsrKeySize=2048 | |
| CsrOrganizationName=$CSROrgname | |
| CsrOrganizationUnit=IT | |
| CsrLocalityName=$csrLocality | |
| CsrStateName=$csrState | |
| "@ | |
| Out-File "$env:temp\$idracName.cfg" -InputObject $idracoptions -Encoding ascii | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set -f "$env:temp\$idracName.cfg" | |
| #region separate racadm commands to apply this config file's settings individually | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrCommonName $idracName.$domName | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrCountryCode US | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrEmailAddr $CSRContactEmail | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrKeySize 2048 | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrOrganizationName $CSROrgname | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrOrganizationUnit IT | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrLocalityName $csrLocality | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrStateName $csrState | |
| #endregion | |
| #Make sure we have our scratch directory to work in | |
| If ( (Test-Path "$env:TEMP\Powershellssl\") -eq $false ) { New-Item -ItemType Directory -Path "$env:TEMP\Powershellssl\"} | |
| #Build Filenames and have the idrac Generate the Cert | |
| $csrPath = Join-Path "$Env:TEMP\PowerShellSSL\" -ChildPath ("$idracName-" + $( Get-Date -f "yyyyMMdd") + ".csr" ) | |
| $outCert = Join-Path "$Env:TEMP\PowerShellSSL\" -ChildPath ("$idracName-" + $( Get-Date -f "yyyyMMdd") + ".cer" ) | |
| & racadm -r $IP -u $idracuser -p $idracpass sslcsrgen -g -f $csrPath | |
| #Sign the cert signing request with certreq | |
| & certreq.exe -config $CAname -attrib ""CertificateTemplate:WebServer"" $csrPath $outCert | |
| #Upload Signed cert to iDRAC | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass sslcertupload -t 1 -f $outCert | |
| #Reload the idrac to have the fresh SSL cert show. | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass racreset #Reset as in Reload, not reset settings. racresetcfg will reset the settings too | |
Looks like this might have a good walkthrough
https://theitbros.com/the-rpc-server-is-unavailable-0x800706ba/
But beyond those suggestions - if you have questions, are having problems, or just want to chat over something, for the best response you can reach me and several other IT Pros on the WinAdmins Discord as @PsychoData
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tough to say - could be trouble with resolving the CA name or Network connectivity to it.
I've also seen some similar problems from DCOM with CA services in some cases when the account doesn't have privileges to register the certificate
Make sure you're
Certutil -Pingto see if it can talk to the CA