SSL Certificate management - proposed REST APIs

Tanous, Ed ed.tanous at intel.com
Wed Aug 8 00:43:19 AEST 2018


> Yes, the spec should allow for the certificate to not be there.  Can this
> happen when the BMC is being provisioned or decommissioned, after the
> cert is deleted and before it gets re-created (if SSL is not running but REST
> APIs are working), and possibly when processing a certificate signing
> request?
If SSL is not running but the rest APIs are working that is a bug, as we shouldn't be transferring anything (especially SSL certificates) over an unencrypted link.  An outstanding CSR doesn't require us to invalidate the old certificate to create it.  If the certificate isn't there, then the REST API is effectively down, as we can't spin up TLS sessions to upload new key so we're deadlocked.
In your mind, if I call DELETE on the /ssl endpoint, what happens?  In my mind, /delete causes a regeneration of the self signed key, so we can keep the https interfaces functional.

> 
> It seems like there are increasingly complex use cases:
> 1. A Self-signed SSL certificate is created when there is no other certificate to
> use.  This is the current behavior.
> 2. Some other server creates a SSL certificate and causes it to be signed
> (either by a well known Certificate Authority or by acting as a CA), then PUTs
> that SSL certificate onto the BMC.
> 3. Information for the CSR is PUT onto the BMC which then chooses private
> keys, creates the SSL Certificate Signing Request (CSR), and causes the SSL
> certificate to be signed.  When the signed SSL certificate returns, the BMC
> uses it.
#3 use case seems a little odd, can you explain it a little more?   "Causes the SSL certificate to be signed" sounds a lot like self-signed in #1, but with user provided information in the CSR.  I'm not really sure what this would do for a user, as the cert chain still isn't traceable.  Would you make an Intermediate CA available for download, so the user could add it to their root store?

> Does the information needed for the CSR need to be kept around for re-
> use?  Would the CSR itself ever be re-used?
I can't think of any reason why it would.  All of the information in the CSR is easily recreated.


More information about the openbmc mailing list