docs/security/TLS-configuration.md

14 certificates signed by a CA that can be used to authenticate user requests to an
32 - issuer name has to match CA's subject name for client certificate
118 ### Create a new CA certificate
120 First we need to create a private key to sign the CA certificate.
123 openssl genrsa -out CA-key.pem 2048
126 Now we can create a CA certificate, using the previously generated key. You will
131 openssl req -new -config openssl-client.cnf -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
134 ### Create client certificate signed by given CA certificate
147 You will be prompted for the same information as during CA generation, but
155 Sign the certificate using your `CA-cert.pem` certificate with following
159 …n -extfile myext-client.cnf -days 365 -in signingReqClient.csr -CA CA-cert.pem -CAkey CA-key.pem -…
164 ### Create server certificate signed by given CA certificate
166 For convenience we will use the same CA generated in paragraph
167 [Create a new CA certificate](#Create-a-new-CA-certificate), although a
178 information as during CA generation, but provide **the fully qualified domain
189 Sign the certificate using your `CA-cert.pem` certificate with following
193 …n -extfile myext-server.cnf -days 365 -in signingReqServer.csr -CA CA-cert.pem -CAkey CA-key.pem -…
204 openssl x509 -in CA-cert.pem -text -noout
215 - `Issuer` in `client-cert.pem`, it must match to `Subject` in `CA-cert.pem`,
228 CA-cert.pem
233         Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
237         Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
254                 CA:TRUE
268         Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
323                 keyid:5B:1D:0E:76:CC:54:B8:BF:AE:46:10:43:6F:79:0B:CA:14:5C:E0:90
332 ## Installing CA certificate on OpenBMC
334 The CA certificate can be installed via Redfish Service. The file `CA-cert.pem`
344   "CertificateString":"$(cat CA-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
350 To install the CA certificate on the OpenBMC server post the content of
373 by default. To use the certificate signed by our CA it must be replaced.
427 If TLS is enabled, valid CA certificate was uploaded and the server certificate
429 certificate, key, and CA like below.
432 curl --cert client-cert.pem --key client-key.pem -vvv --cacert CA-cert.pem https://${bmc}/redfish/v…