SSL Certificate management proposal.

Ed Tanous ed.tanous at intel.com
Thu Aug 2 02:48:27 AEST 2018 

>  >
> Agree with your concern, but from the security standpoint transmitting 
> private key over network is not recommended.  Additionally a simplified 
> method also can be provided for customers who wants that.
I'm happy with both, and I understand the desire to not transmit private 
keys over the network, but this is how a lot of organizations are set up 
today.  In general, the private key is sent over TLS, during an initial 
provisioning phase, on an isolated subnet to reduce the risk.  I'm not 
saying the CSR approach isn't an improvement, but I think we will need 
to support both approaches, and I don't know of any BMC that supports 
the CSR approach, although I'm not very familiar with some of the high 
end enterprise BMCs feature set.  It might be supported.

>  >
>  > What does this mean exactly?  Encrypted disk backed by hardware
>  > security?  Is it just implying file system permissions?
> Storage method can be varied based on the implementation. Curenlty 
> looking at file system permissions.
Got it.

>  >
>  > >   * Activate process shall validate the new certificate against the
>  > >     private key and information in the CSR.
>  > You don't really define what the "activate process" is in this context.
>  > I suspect you're talking about a process designed for cert upload, but
>  > I'm not really sure given the context.
>  >
> Upload process just save the Signed certificate in a  BMC location and 
> "activation" will replace the curently used certificate in the secured 
> location and restart all the impacted services.
Why have these as two steps?  Why not just upload the key and apply it 
in one atomic action?  It seems like it would simplify the code quite a 
bit, and reduce the possibility of issues.

>  >
> As mentioned earlier  curently used certificate will be replaced only 
> after the successful activation. So there wont be any downtime during 
> CSR creation process.
If I'm following correctly, the CSR gets replaced, but not the 
certificate?  If so, I misunderstood your initial requirement.  This 
should be fine.

>  >
> User privilege level need to be discussed more.
Agreed.



All in all, sounds like a good start to me.

More information about the openbmc mailing list