Skip to content
Documentation

Secure boot an OS template ISO for Dell PowerEdge Generation 14 and 15

Available from 7.2

Supported hardware and prerequisites

Section titled “Supported hardware and prerequisites”
  • Supported iDRAC: iDRAC9 and iDRAC10.
  • BIOS: Ensure the server BIOS is up to date when using ISOs signed by recent CAs (for example, the 2023 Microsoft UEFI CA).
  • Tools required: osslsigncode, a host able to mount ISO images, and MetalSoft web UI or CLI access.

iDRAC settings to verify

Section titled “iDRAC settings to verify”

Confirm these Secure Boot settings in iDRAC for each target server:

  • Secure BootEnabled
  • Secure Boot PolicyStandard
  • Secure Boot ModeDeployed Mode

Also confirm the server BIOS is updated to include the CA used to sign the ISO.

Optional signing guidance

Section titled “Optional signing guidance”

Signing the ISO with a trusted CA improves acceptance by Secure Boot. Follow Microsoft or your CA vendor documentation for signing UEFI boot files and creating a signed ISO. When using a CA newer than the server firmware supports, update firmware first.

Extract the image certificate serial from the ISO

Section titled “Extract the image certificate serial from the ISO”
  1. Mount the ISO on a host (local machine or temporary VM).
  2. Change to the EFI boot folder on the mounted ISO, for example:
Terminal window
cd /mnt/iso/efi/boot
  1. Run osslsigncode to inspect the EFI binary signature:
Terminal window
osslsigncode verify -in bootx64.efi
  1. In the output, locate the signer block (for example Signer #1) and copy the Serial value. That serial is the Image Certificate Serial Number to paste into MetalSoft.

Example signer excerpt:

Signer #1:
        Subject: /C=US/O=Microsoft Corporation/CN=Windows UEFI CA 2023
        Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
        Serial : 330000001A888B9800562284C100000000001A

Configure MetalSoft to use the signed ISO

Section titled “Configure MetalSoft to use the signed ISO”
  1. Upload the signed ISO to your MetalSoft repository.
  2. Create or edit the OS template: open the OS template, click Configuration, paste the Image Certificate Serial Number into Image Certificate Serial Number, and click Update OS Template.
  3. Change the OS template ISO name, path and location to point to the signed ISO you uploaded by:
    3.1. Click on Assets, click on the ISO asset, under Overview click on the pencil mark next to Name and Path to update them
    3.2. Click on Content, paste the new URL and click Save
  4. Validate by provisioning a test server or running a dry-run to confirm Secure Boot acceptance.

Troubleshooting tips

Section titled “Troubleshooting tips”
  • If Secure Boot fails on the server, verify BIOS and iDRAC firmware include the CA used to sign the ISO.
  • If osslsigncode reports verification errors, ensure the host CA bundle contains the issuer chain; the serial value is still extractable.
  • For repeatable workflows, script the mount → inspect → extract steps and validate the serial before uploading the ISO.
  • osslsigncode may show timestamp or PKCS7 verification errors if the local CA bundle does not contain the full issuer chain. The verification status does not affect the ability to read the Serial field; the serial remains visible in the signer block and is the value required for MetalSoft configuration.