No option to delete SSL certificates

Ed Tanous ed at tanous.net
Sat Mar 6 07:28:35 AEDT 2021


On Fri, Mar 5, 2021 at 10:41 AM Milton Miller II <miltonm at us.ibm.com> wrote:
>
> On March 05, Ed Tanous wrote:
> >On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills
> ><gmills at linux.vnet.ibm.com> wrote:
> >>
> >> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
> >> > In webui-vue , SSL certificates has only replace option. Delete
> >button
> >> > is greyed out.
> >> >
> >> > Is there any reason for not providing delete option?
> >
> >I can't explain why the TrustStore certificate isn't deletable, that
> >seems like a bug in webui-vue.
> >
> >The HTTPS certificate isn't deletable because that would effectively
> >disable the HTTPS interface entirely, which seems like a problem,
> >given that you're currently using the HTTPS interface to communicate
> >with the BMC.  Because of that, we only support replacing the
> >certificate.  In a perfect world, we could regenerate a new
> >self-signed certificate if the old one was deleted, but nobody has
> >written that code so far as I'm aware, I suspect because it's just as
> >easy to replace the certificate with your own self-signed cert.
>
> There was also discussion (but I don't remember if it was email
> or in a gerrit review) that deleting invalid certificates was
> a bad idea when they are invalid for the current time because
> sometimes the issue is the loss of the real time clock, and we
> don't want to delete what should be a good cert and replace with
> a self signed one just because the RTC is wrong.

I think that's a different issue.  This is talking about the actual
delete API a user would request.

>
> Deleting the current cert can cause issues with certificate
> pinning in the browser.

You're either talking about HSTS, which isn't affected by certificate
changes, or you're talking about HPKP which we've never supported in
bmcweb, and I thought the browsers removed support for it anyway.
Either way, I don't think it's a concern in OpenBMC in this case.  We
can (and expect to in a security conscious org) replace the
certificate at will often.

>
> >>>
> >> Looking at the code, I believe the only certificate that can be
> >deleted
> >> in bmcweb is the Trust Store Certificate
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_bmcweb_blob_feaf15005555a3099c7f22a7e3d16c99ccb40e72_redfish-2Dcor
> >e_lib_certificate-5Fservice.hpp-23L1347&d=DwIBaQ&c=jf_iaSHvJObTbx-siA
> >1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&m=GvsftEwmNCL39tSW
> >9RGR21w8wiSqAcgIUtjTN26kt-I&s=4FlXy5_5pFttulDVBgxnYBpZTTWQNlWVwxr8jkW
> >aJBc&e=
> >>
> >> And this is reflected in the webui-vue code:
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_webui-2Dvue_blob_4da9495925d601bb4edfb8b007d5b54792b7491b_src_view
> >s_AccessControl_SslCertificates_SslCertificates.vue-23L183&d=DwIBaQ&c
> >=jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4
> >&m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=pc4yE_OEI6ePP--E_F8p
> >Shj3Ve0pOiAANBMLi8YPeHY&e=
> >>
> >> I am not sure if there is a reason for not supporting deleting
> >other
> >> certificates or just no one has done the work.
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_bmcweb_commit_07a602993f1007b0b0b764bdb3f14f302a8d2e26&d=DwIBaQ&c=
> >jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&
> >m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=iAukDzsq2iqjh1UJw1y0b
> >Lv7ci9m2WLqKdF634OdPs8&e=
> >>
> >> Thanks,
> >> Gunnar
>
> milton
>


More information about the openbmc mailing list