bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

Joseph Reynolds jrey at
Tue Jan 28 03:03:09 AEDT 2020

On 1/24/20 11:19 AM, Alexander Tereschenko wrote:
> On 22-Jan-20 22:23, Joseph Reynolds wrote:
>> Notes from the security working group meeting 2020-01-22:
>> Highlights below; details in 
>> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
>> intermediate certificates.  See 

>> Other web servers have directives to concatenate the intermediate 
>> certificates (excluding the root CA certificates) and send that. What 
>> does BMCWeb do?

>>  - What is BMCWeb's default default?
>>  - Need better docs, for example: How can a BMC admin replace 
>> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
>> Can we document this for BMCWeb?
> As discussed during the meeting, I've looked into that and looks like 
> bmcweb doesn't support sending the cert chain at all right now. When 
> loading it expects the server's cert file to have just a private key 
> and certificate in a single file [1], just as we've discussed during 
> the meeting, and server's init code only loads those [2]. There's an 
> API in Boost.Asio that could allow loading a chain [3], but it's not 
> used anywhere, so for bmcweb to support that, a patch must be created.

Thank you for finding that.  I think we want to add a function to BMCWeb 
to be able to handle certificate chains.  Would we need to enhance the 
REST APIs [4] to upload server certificates as part of this work?


- Joseph

> HTH,
> Alexander
> [1]
> [2]
> [3] 

More information about the openbmc mailing list