Redfish: Generating and installing CSR based certificates.

Jayanth Othayoth ojayanth at gmail.com
Fri Feb 15 00:53:53 AEDT 2019 

All,
Please find the Redflish based CSR ( Certificate Signing Request)
generation and installing the certificate in BMC.
This is based on the latest Redfish spec (Reference:
https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf)
and related documents.
Included the Gerrit link related to  d-bus interfaces :
    Review Link:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/

Looking for the inputs  on this  design flow and any additional changes
required from the security aspect on managing private keys in the BMC.

   - The user performs the GenerateCSR action ( URIs:
   /redfish/v1/CertificateService ) with required parameters.
      - Certificate service provides a d-bus interface to generate CSR .
         - Certificate manager create Private key and saves the service
         specific path
         - Returns the d-bus path for the newly created CSR.


   -  Certificate service provides d-bus interface to download CSR
         -  The user need need wait for the creation of CSR specific d-bus
         path to download the newly created CSR
      -  The user takes the CSR file and get it signed by the appropriate
      authority.
         -  This step is outside the scope of Redfish.
      -  The user navigates to the appropriate certificate collection
      -   Example: if trying to replace the HTTPS certificate for a
      Manager, navigate to the Manager’s Certificate Collection that is
      subordinate to the   NetworkProtocol/HTTPS object
   - The user performs a POST on the Certificate Collection with the
   certificate string in the body
      -  Use the existing certificate upload d-bus interface.
   - Certificate manager validates the certificate with the available
   service specific private keys in the BMC.
   - After successful validation  pairs the private key used in the first
   step with the installed certificate.

Assumption:

   - For a service, BMC allows maximum 3 ( ?) CSR requests. Any new request
   after this will remove the oldest private key information from the BMC.
   - User has to do a Factory removing  the private key from the system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190214/4ebdbdc9/attachment.htm>

More information about the openbmc mailing list