docs/security/TLS-configuration.md

20 For a certificate to be marked as valid, it (and every certificate in the chain)
26   certificate and `serverAuth` for server certificate (see rfc 3280 4.2.1.13)
28 - certificate has to be in its validity period
30 - has to be properly signed by certificate authority
31 - certificate is well-formed according to X.509
32 - issuer name has to match CA's subject name for client certificate
98 these files no extensions are added to the certificate.
118 ### Create a new CA certificate
120 First we need to create a private key to sign the CA certificate.
126 Now we can create a CA certificate, using the previously generated key. You will
127 be prompted for information which will be incorporated into the certificate,
134 ### Create client certificate signed by given CA certificate
136 To create a client certificate, a signing request must be created first. For
139 Generate a new key that will be used to sign the certificate signing request:
145 Generate a certificate signing request.
149 certificate. In this example, use **root**.
155 Sign the certificate using your `CA-cert.pem` certificate with following
162 The file `client-cert.pem` now contains a signed client certificate.
164 ### Create server certificate signed by given CA certificate
167 [Create a new CA certificate](#Create-a-new-CA-certificate), although a
170 Generate a new key that will be used to sign the server certificate signing
177 Generate a certificate signing request. You will be prompted for the same
180 certificate. In this example it will be `bmc.example.com`. A wildcard can be
181 used to protect multiple host, for example a certificate configured for
189 Sign the certificate using your `CA-cert.pem` certificate with following
196 The file `server-cert.pem` now contains a signed server certificate.
332 ## Installing CA certificate on OpenBMC
334 The CA certificate can be installed via Redfish Service. The file `CA-cert.pem`
350 To install the CA certificate on the OpenBMC server post the content of
364 After successful certificate installation you should get positive HTTP response
365 and a new certificate should be available under this resource collection.
372 An auto-generated self-signed server certificate is already present on OpenBMC
373 by default. To use the certificate signed by our CA it must be replaced.
375 server certificate. A proper message mody can be prepared the with this command:
390 To replace the server certificate on the OpenBMC server post the content of
427 If TLS is enabled, valid CA certificate was uploaded and the server certificate
429 certificate, key, and CA like below.
446 - Attempting to load the same certificate twice will end up with an error.