History log of /openbmc/bmcweb/scripts/generate_auth_certificates.py (Results 1 – 3 of 3)
Revision Date Author Comments
# 7b9e2569 07-Apr-2024 Ed Tanous <ed@tanous.net>

Fix generate auth certs

bmcs might not have the correct time, so allow certificates for 100
years starting from epoch. As is, the script makes the certificate
valid for now + 10 years. After chang

Fix generate auth certs

bmcs might not have the correct time, so allow certificates for 100
years starting from epoch. As is, the script makes the certificate
valid for now + 10 years. After changes make the script valid from
epoch (1970) to 100 years later (2070).

This makes the script run to completion against a qemu instance of the
bmc.

Additional changes include detecting if a CA key is already present, to
not rewrite it. This allows installing a CA certificate on test
machines once, and using it to authenticate forever.

Additionally, add "alternative names" support, for pointing to a bmc at
localhost, or on the default qemu port, which allows these things to
work by default in those scenarios.

Lastly, change the directory to use a path relative to the script path,
instead of relative to current path when generating certificates. This
ensures that certs are always generated in the same place, which helps
when a CA is reused.

Tested: Script runs to completion without errors.

Change-Id: Ia5c31041dd5cb193b897bf1f7bae3cd9767656d0
Signed-off-by: Ed Tanous <ed@tanous.net>

show more ...


# 4c8c12d2 29-Jan-2024 Ed Tanous <ed@tanous.net>

Reformat scripts

Change-Id: Ie8fb9f9733e75b887b14516cfa12f662aa5d3a82
Signed-off-by: Ed Tanous <ed@tanous.net>
# 47af8321 21-Jul-2023 Alex Schendel <alex.schendel@intel.com>

scripts: Script to autogenerate TLS certs

This script autogenerates:
1. Self-signed CA certificate/key pair
2. Server certificate/key pair
3. Client certificate/key pair
4. PKCS12 archive to store c

scripts: Script to autogenerate TLS certs

This script autogenerates:
1. Self-signed CA certificate/key pair
2. Server certificate/key pair
3. Client certificate/key pair
4. PKCS12 archive to store client certificate/key pair

These files are all generated and then stored in a local ./certs
directory.

Following this, they are added to the BMC over Redfish.

Then, the script attempts to use the client certificate/key pair to
access a Redfish url with permissions while not providing username or
password.

If this succeeds, then it generates the PKCS12 archive file and directs
the user to import it into a browser if they wish to test webui or would
prefer to do any testing in browser rather than over curl or similar
data tranfer tools for HTTP.

Tested:
Monitored output to ensure that each step succeeded and once the PKCS12
archive file was generated, imported it into a browser and accessed a
redfish url with permissions while not being redirected to the login
route.

Change-Id: Ie8a393feb472281d1865e52bddbdb58edbf5b071
Signed-off-by: Alex Schendel <alex.schendel@intel.com>

show more ...