NVIDIA BlueField BMC Software v24.04
NVIDIA BlueField BMC Software v24.04

Redfish Certificate Management

Certificate management actions (e.g., getting certificate information, doing atomic replacement of certificates) are found in the CertificateService resource.

The CertificateLocations resource is responsible for providing inventory of all the certificates which the service manages.

More details can be found in the Redfish Certificate Management White Paper.

Get Certificate Locations

Inventory of all certificates the service is managing.

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations


Get Certificate Information

Copy
Copied!
            

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1


Replace Existing Certificate

Copy
Copied!
            

curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json


Generate CSR

Generate certificate signing request (CSR):

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json


Install Certificate

Copy
Copied!
            

curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json


  1. Configure your CA to include at least the following extensions for the signed TLS server certificates:

    Copy
    Copied!
                

    basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1

    Note

    The extension subjectAltName = IP:192.168.240.1 is mandatory.

  2. Create a JSON containing the subject data for the DPU BMC to use when creating the CSR. For example:

    Copy
    Copied!
                

    { "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" }

  3. Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:

    Info

    The BMC replies with a JSON containing the CSR.

    Copy
    Copied!
                

    curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } }

  4. Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:

    Copy
    Copied!
                

    openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt

    Where:

    • bmc.csr contains the CSR string from the previous step

    • CA-cert.pem contains the CA certificate to be used to sign the CSR

    • CA-key.pem contains the CA private key

    • extfile.txt contains the extensions mentioned in the first step (basicConstraints, keyUsage, and subjectAltName)

    • bmc.crt is the output file which will contain the BMC certificate signed by the CA

  5. Create a JSON file for the DPU BMC signed TLS server certificate data:

    Copy
    Copied!
                

    { "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } }

  6. Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.

    Copy
    Copied!
                

    curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.j

© Copyright 2024, NVIDIA. Last updated on May 10, 2024.