Redfish Certificate Management
Certificate management actions (e.g., getting certificate information, doing atomic replacement of certificates) are found in the CertificateService resource.
The CertificateLocations resource is responsible for providing inventory of all the certificates which the service manages.
More details can be found in the Redfish Certificate Management White Paper.
Getting Certificate Locations
Inventory of all certificates the service is managing.
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations
Getting Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1
Replacing Existing Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json
Generating CSR
Generate certificate signing request (CSR):
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json
Installing Certificate
curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json
Configure your CA to include at least the following extensions for the signed TLS server certificates:
basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1
NoteThe extension
subjectAltName = IP:192.168.240.1is mandatory.Create a JSON containing the subject data for the BlueField BMC to use when creating the CSR. For example:
{ "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" }
Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:
InfoThe BMC replies with a JSON containing the CSR.
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } }
Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:
openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt
Where:
bmc.csrcontains the CSR string from the previous stepCA-cert.pemcontains the CA certificate to be used to sign the CSRCA-key.pemcontains the CA private keyextfile.txtcontains the extensions mentioned in the first step (basicConstraints,keyUsage, andsubjectAltName)bmc.crtis the output file which will contain the BMC certificate signed by the CA
Create a JSON file for the BlueField BMC signed TLS server certificate data:
{ "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } }
Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.j