SSL Certificate management proposal.
Jayanth Othayoth
ojayanth at gmail.com
Wed Aug 1 00:49:38 AEST 2018
This proposal provides a mechanism to replace the self signed certificate
with CA signed certificate based on BMC generated CSR.
What is CSR: Certificate Signing Request is a digital request sent to
certificate authority(CA) to apply for a digital identity certificates,
which includes the information about the organization info and a unique
identifying key( public key).
OpenSSL tools can be used to generate CSR and corresponding private key.
How to update a signed certificate on the BMC ?
The workflow for updating a signed certificate on the BMC consists of:
1. Generating a CSR on the BMC
2. Exporting the CSR from the BMC onto the user’s storage device
3. Obtaining a singed certificate corresponding to the CSR from a CA
4. Importing the signed certificate on the BMC
The user shall have the ability to export the generated CSR any number of
times until the signed certificate is imported.
In order to support the above workflow, the BMC shall provide the following
REST APIs:
- Generate CSR
- Renew CSR
- Download CSR
- Upload digitally signed certificate.
- Activate digitally signed certificates
- Download digitally signed certificate
Additional Requirements:
- BMC should store the Signed certificate and private key in a
persistent secured storage location..
- Activate process shall validate the new certificate against the
private key and information in the CSR.
- Successful certificate activation shall replace the existing
certificate and private key.
- A new CSR generate request will overwrite the previous CSR. User
should take caution to not repeat CSR requests to prevent overwriting
pending CSRs.
- Certificate management operation should be restricted for certain
privilege levels.
- As part of Boot process, a new self-signed certificate is generated
if:
- No CA signed certificate is present or corrupted.
- A self-signed certificate is not present or corrupted.
- The certificate has expired.
- Validity of the certificate must be ensured by the user or client
application by periodically checking the expiry date. Certificate
management feature may be be enhanced in future to generate events when the
certificate is about to expire.
- Existing REST session will be tossed during certificate activate
process.
Note: REST/D-bus details not included here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180731/76473dab/attachment-0001.html>
More information about the openbmc
mailing list