Redfish Certificate Management
Certificate management actions (e.g., getting certificate information, doing atomic replacement of certificates) are found in the CertificateService resource.
The CertificateLocations resource is responsible for providing inventory of all the certificates which the service manages.
More details can be found in the Redfish Certificate Management White Paper.
Get Certificate Locations
Inventory of all certificates the service is managing.
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations
Get Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1
Replace Existing Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json
Generate CSR
Generate certificate signing request (CSR):
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json
Install Certificate
curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json
Configure your CA to include at least the following extensions for the signed TLS server certificates:
basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1
NoteThe extension subjectAltName = IP:192.168.240.1 is mandatory.
Create a JSON containing the subject data for the DPU BMC to use when creating the CSR. For example:
{ "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" }
Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:
InfoThe BMC replies with a JSON containing the CSR.
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } }
Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:
openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt
Where:
bmc.csr contains the CSR string from the previous step
CA-cert.pem contains the CA certificate to be used to sign the CSR
CA-key.pem contains the CA private key
extfile.txt contains the extensions mentioned in the first step (basicConstraints, keyUsage, and subjectAltName)
bmc.crt is the output file which will contain the BMC certificate signed by the CA
Create a JSON file for the DPU BMC signed TLS server certificate data:
{ "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } }
Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.j