designs/management-console/VMI_Certificate_Exchange.md

1 # VMI Certificate Exchange
30 BMC needs to provide certificate exchange functionality to management console
39 and gets the signed certificate and the CA certificate from VMI. This design
53   self-signed root certificate is created using this key pair.
55   its self-signed certificate to sign CSR from client.
61 BMC will provide an interface for management console to exchange certificate
67 certificate and Root CA certificate via proposed BMC interface.
72 HMC can query BMC state and use this API to initiate certificate exchange.If HMC
106 ### VMI certificate exchange
111 #### Get Signed certificate:
113 REST command to get signed client certificate from VMI
122 Response: This will return the certificate string which contains signed client
123 certificate
127    “Certificate”: "<certificate string>"
132 #### Get Root certificate:
134 REST command to get VMI root certificate
139 curl -k -H "X-Auth-Token:  <token>" -X GET http://{BMC_IP}/ibm/v1/Host/Certificate/root
142 Response: This will return the certificate string which contains and root CA
143 certificate.
147    “Certificate”: "<certificate string>"
156 Have gone through existing BMC certificate management infrastructure if we can
161 - Certificate Signing Request CSR is a message sent from an applicant to a
162   certificate authority in order to apply for a digital identity certificate.
163 - The user calls CSR interface BMC creates new private key and CSR Certificate
165 - CSR certificate is passed onto the CA to sign the certificate and then upload
166   CSR signed certificate and install the certificate.
170 - Our existing BMC certificate manager/service have interfaces to generate CSR,
173 - In VMI certificate exchange, requirement for BMC is to provide an interface
174   for management console to get CSR certificate signed by VMI (CA).
175 - We don’t have any existing certificate manager interface to forward CSR
178   return signed certificate and Root CA certificate.
179 - This requirement is out of scope for existing certificate manager so proposing
223   certificate from '/var/lib/bmcweb/RootCert' file.This API can handle muptiple
225 - PLDM gets root certificate as soon as VMI boots and it writes to
236 - Once PLDM on BMC gets the client certificate from VMI, it updates the
240   returns certificate string.This interface calls SignCSR dbus method and looks
242   property content and return certificate string.
244   deleted before returning certificate string to client.
245 - BMC is passthrough which allows certificate exchange between VMI and HMC. BMC
253 - Test the interface command from a management console and verify if certificate
257 - Certificate exchange fails in the following scenarios
260   - If PHYP throws error for certificate validation. This interface returns
263 - If there are issues like certificate expiry, revocation, incorrect date/time