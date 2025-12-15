NVIDIA BlueField BMC Software v25.10-LTSU1 (2025 LTS U1)
Redfish Certificate Management

Certificate management actions—such as retrieving certificate information or performing atomic certificate replacement—are accessible through the CertificateService resource.

The CertificateLocations resource provides an inventory of all certificates managed by the service.

For additional details, refer to the Redfish Certificate Management White Paper.

Common Certificate Management Commands

Getting Certificate Locations

Inventory of all certificates the service is managing.

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations


Root CA Management Commands

List Root CA

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates


Getting Certificate Information

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/<number>


Installing Root CA Certificate

curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json


Replacing Existing Root CA Certificate

curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/1 -d @rootca.json


Root CA Certificate Creation and Replacement

  1. Generate Root CA certificate:

    cat > root-ca.cnf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
 
[req_distinguished_name]
C = <country>
ST = <state>
L = <location>
O = OpenBMC
OU = bmcweb
CN = <common_name>
 
[v3_req]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
EOF
 
# Generate root CA key
openssl genrsa -out root-ca-key.pem <key_size>
 
# Generate root CA certificate
openssl req -x509 -new -nodes \
    -key root-ca-key.pem \
    -sha256 -days <validity_days> \
    -out root-ca-cert.pem \
    -config root-ca.cnf \
    -extensions v3_req

  2. Create a JSON file for the root CA certificate add

    {
    "CertificateString": "<cert_string>",
    "CertificateType": "PEM"
}

  3. Install the root CA certificate (can have more then 1).

    curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json

Server Certificate Management Commands

Getting Certificate Information

curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1


Replacing Existing Certificate

curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json


Generating CSR

Generate certificate signing request (CSR):

curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json


Installing Certificate

curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json


Example for CSR Generation, Certificate Creation and Replacement

  1. Configure your CA to include at least the following extensions for the signed TLS server certificates:

    basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
subjectAltName = IP:192.168.240.1

    Note

    The extension subjectAltName = IP:192.168.240.1 is mandatory.

  2. Create a JSON containing the subject data for the BlueField BMC to use when creating the CSR. For example:

    { 
    "City": "<city>",
    "CertificateCollection": {
        "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/"
    },
    "CommonName": "bmc0123456789.mycompany.com",
    "Country": "<country>",
    "Organization": "<company_name>",
    "OrganizationalUnit": "<my_org>",
    "State": "<state>",
    "KeyPairAlgorithm": "EC"
}

  3. Generate a certificate signing request using the forth command in the table above and the JSON file created in the previous step:

    Info

    The BMC replies with a JSON containing the CSR.

    curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json
{
  "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n",
  "CertificateCollection": {
    "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" 
  }
}

  4. Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:

    openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txt

    Where:

    • bmc.csr contains the CSR string from the previous step

    • CA-cert.pem contains the CA certificate to be used to sign the CSR

    • CA-key.pem contains the CA private key

    • extfile.txt contains the extensions mentioned in the first step (basicConstraints, keyUsage, and subjectAltName)

    • bmc.crt is the output file which will contain the BMC certificate signed by the CA

  5. Create a JSON file for the BlueField BMC signed TLS server certificate data:

    {
    "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", 
    "CertificateType": "PEM",
    "CertificateUri":
    {
        "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1"
    }
}

  6. Replace the BMC certificate using the third command in the table above and the JSON created in the previous step.

    curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.j

