bmcweb: Install encrypted certificate to BMC
Zhenfei Tai
ztai at google.com
Sat Apr 17 10:23:52 AEST 2021
Hi,
Currently certificate installation is supported by bmcweb via
*redfish/v1/Managers/bmc/Truststore/Certificates*, where the certificate
content is part of the JSON request.
For our use case it's a more restricted environment in which we don't want
to have plaintext certificates in the request. Instead we want to send a
pair of encrypted key and certificate from the host to the BMC and there
will be another daemon to decrypt them using an internal library.
Since it's not supported by the Redfish schema, my plan is to use the
*redfish/v1/CertificateSerivce/OemActions* URI and a request payload like
below:
{
"key": "encrypted key in binary",
"certificate": "encrypted certificate in binary"
}
The reasons to use the URI and payload are:
1. It's related to certificate service although in opaque blobs.
2. It's fairly company specific that probably isn't universally applicable.
My questions are:
1. Is this a reasonable approach?
2. Shall we define an OEM schema for our request?
Thanks,
Zhenfei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210416/e92a3610/attachment.htm>
More information about the openbmc
mailing list