EE Certificate Too Weak

If you are using some monitoring tools like Nagios, you might have run into this error – Cannot verify certificate: EE Certificate Too Weak. It means that the matching key is too short for todays standards. I found it myself when having SSL certificate check watching for expiring certs on iDRAC interface of Dell R510.

What is funny that it was happening only for 2 out of 3 of them and it wasn’t fixed by upgrading to the latest iDRAC version. You can’t set the key size from the web interface either. You need to use racadm either locally or via SSH session to iDRAC itself. First lets check the key size that’s currently set:

/admin1-> racadm getconfig -g cfgracsecurity -o cfgRacSecCsrKeySize

And then change it to bigger value and confirm:

/admin1-> racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048
Object value modified successfully
/admin1-> racadm getconfig -g cfgracsecurity -o cfgRacSecCsrKeySize

After that you are ready to generale CSR again, this time with a longer key. Please note that this significantly increases time required for that task to finish, but it doesn’t affect performance of iDRAC interface later.