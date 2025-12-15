On This Page
Redfish Certificate Management
Certificate management actions—such as retrieving certificate information or performing atomic certificate replacement—are accessible through the
CertificateService resource.
The
CertificateLocations resource provides an inventory of all certificates managed by the service.
For additional details, refer to the Redfish Certificate Management White Paper.
Getting Certificate Locations
Inventory of all certificates the service is managing.
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations
List Root CA
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates
Getting Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/<number>
Installing Root CA Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json
Replacing Existing Root CA Certificate
curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/1 -d @rootca.json
Root CA Certificate Creation and Replacement
Generate Root CA certificate:
cat > root-ca.cnf << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = <country> ST = <state> L = <location> O = OpenBMC OU = bmcweb CN = <common_name> [v3_req] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash EOF # Generate root CA key openssl genrsa -out root-ca-key.pem <key_size> # Generate root CA certificate openssl req -x509 -new -nodes \ -key root-ca-key.pem \ -sha256 -days <validity_days> \ -out root-ca-cert.pem \ -config root-ca.cnf \ -extensions v3_req
Create a JSON file for the root CA certificate add
{ "CertificateString": "<cert_string>", "CertificateType": "PEM" }
Install the root CA certificate (can have more then 1).
curl -k -u root:
'<password>'-X POST https:
//<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json
Getting Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1
Replacing Existing Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json
Generating CSR
Generate certificate signing request (CSR):
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json
Installing Certificate
curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json
Example for CSR Generation, Certificate Creation and Replacement
Configure your CA to include at least the following extensions for the signed TLS server certificates:
basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1Note
The extension
subjectAltName = IP:192.168.240.1is mandatory.
Create a JSON containing the subject data for the BlueField BMC to use when creating the CSR. For example:
{ "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" }
Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:Info
The BMC replies with a JSON containing the CSR.
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } }
Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:
openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt
Where:
bmc.csrcontains the CSR string from the previous step
CA-cert.pemcontains the CA certificate to be used to sign the CSR
CA-key.pemcontains the CA private key
extfile.txtcontains the extensions mentioned in the first step (
basicConstraints,
keyUsage, and
subjectAltName)
bmc.crtis the output file which will contain the BMC certificate signed by the CA
Create a JSON file for the BlueField BMC signed TLS server certificate data:
{ "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } }
Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.
