<div dir="ltr"><div dir="ltr">Based on the community call discussion team decision is to use new URL for managing Root CA certificates in general. <br></div><div dir="ltr"><br>The below proposal is based on the existing BMC usecase for uploading RootCA certificates in common place and Application configure to use this path for application specific validation purpose. <br><br>Note: The below proposal scope is limited Redfish side , Certificate manager ( backend) implementation is covered here.<br><br>Root CA Certificate (<a href="https://en.wikipedia.org/wiki/Root_certificate">https://en.wikipedia.org/wiki/Root_certificate</a>) Upload Proposal:<br><br>Design approach: Extend the existing Certificate schema( DMTF(DSP2046 v2018.3).<br><br>Proposed URI for Root CA certificates : <b> /redfish/v1/Managers/{ManagerId}/Truststore/Certificates/{CertificateId} </b><br><br><b>Root CA certificate management Flow:</b><br><br>Installing new Certificate:<br><ul><li>The user navigates to the Mangers Certificate Collection that is subordinate to the “Truststore” object.</li></ul><ul><li>The user performs a POST on the Certificate collection with the certificate string in the body.</li></ul><br>Replacing Certificate:<br><ul><li>Use the existing action #CertificateService.ReplaceCertificate.</li><ul><li>Note: Most of the user wants to delete the invalid certificates instead of replace. <br></li></ul></ul><br><b>Deleting Certificates</b></div><div dir="ltr">This option is required for deleting invalid/expired/compromised certificates. Existing CertificateService schema doesn’t support to delete the installed certificates. Also “deletable” option is disabled (( deletable= false)) in the CertificateCollection Schema (<a href="https://redfish.dmtf.org/schemas/CertificateCollection.json">https://redfish.dmtf.org/schemas/CertificateCollection.json</a>) . <br><ul><li>Need to work with Redfish community to add support delete option for RootCA certificates. </li></ul></div><div dir="ltr"><br></div><div>Looking for the input from the community on the proposed certificate schema changes to support this feature.<br></div><div><br></div><div dir="ltr"> i have already posted question in the Redfish specification forum
(<a href="https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553">https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553</a>)
related to this few months back to understand any work in progress
related to area. <br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 29, 2019 at 6:22 PM Jayanth Othayoth <<a href="mailto:ojayanth@gmail.com">ojayanth@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">To configure Secured LDAP Client in BMC , required a Redfish interface to upload Server copy of Root CA certificate in BMC for SSL handshaking.<br><br>Latest version of DMTF spec (DSP2046 v2018.3 ) certificate supports the below URIs: <br><br>/redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId} <br>/redfish/v1/AccountService/ActiveDirectory/Certificates/{CertificateId} <br>/redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}<br> /redfish/v1/AccountService/LDAP/Certificates/{CertificateId} <br>/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates/{CertificateId} <br>/redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates/{CertificateId}<br> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates/{CertificateId}<br> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates/{CertificateId}<br> /redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates/{CertificateId} <br><br>Currently URI /redfish/v1/AccountService/LDAP/Certificates/{CertificateId} used for upload LDAP client certificates. <br><br>Ed, Ratan Can we use use any of the existing uri to upload LDAP server root CA Certificate , or do we need to introduce custom URI for this purpose?<br><br>I have already posted question Redfish forum (<a href="https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553" target="_blank">https://redfishforum.com/thread/169/certificate-management-ca-upload?page=1&scrollTo=553</a>) related to general “authority” type certificate upload process, which can be used for this purpose. <br><br></div></div>
</blockquote></div>