xref: /openbmc/docs/security/TLS-configuration.md (revision 735d3187fead258ddc18d926a5f82c87871e513d) 
1c6623b6fSZbigniew Kurzynski# How to configure the server TLS certificates for authentication
2c6623b6fSZbigniew Kurzynski
3f4febd00SPatrick WilliamsAuthor: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
4f4febd00SPatrick Williams
5f4febd00SPatrick WilliamsCreated: May 8, 2020
6c6623b6fSZbigniew Kurzynski
7c6623b6fSZbigniew KurzynskiRelated documents:
8f4febd00SPatrick Williams
9f4febd00SPatrick Williams- [Redfish TLS User Authentication](https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md)
10c6623b6fSZbigniew Kurzynski
11c6623b6fSZbigniew Kurzynski## Introduction
12f4febd00SPatrick Williams
13f4febd00SPatrick WilliamsWith help of this guidebook you should be able to create both client and server
14f4febd00SPatrick Williamscertificates signed by a CA that can be used to authenticate user requests to an
15f4febd00SPatrick WilliamsOpenBMC server. You will also learn how to enable and test the OpenBMC TLS
16f4febd00SPatrick Williamsauthentication.
17c6623b6fSZbigniew Kurzynski
18c6623b6fSZbigniew Kurzynski## Certificates
19c6623b6fSZbigniew Kurzynski
20f4febd00SPatrick WilliamsFor a certificate to be marked as valid, it (and every certificate in the chain)
21f4febd00SPatrick Williamshas to meet these conditions:
22f4febd00SPatrick Williams
23f4febd00SPatrick Williams- `KeyUsage` contains required purpose `digitalSignature` and `keyAgreement`
24c6623b6fSZbigniew Kurzynski  (see rfc 3280 4.2.1.3)
25f4febd00SPatrick Williams- `ExtendedKeyUsage` contains required purpose `clientAuth` for client
26c6623b6fSZbigniew Kurzynski  certificate and `serverAuth` for server certificate (see rfc 3280 4.2.1.13)
27f4febd00SPatrick Williams- public key meets minimal bit length requirement
28f4febd00SPatrick Williams- certificate has to be in its validity period
29f4febd00SPatrick Williams- `notBefore` and `notAfter` fields have to contain valid time
30f4febd00SPatrick Williams- has to be properly signed by certificate authority
31f4febd00SPatrick Williams- certificate is well-formed according to X.509
32f4febd00SPatrick Williams- issuer name has to match CA's subject name for client certificate
33f4febd00SPatrick Williams- issuer name has to match the fully qualified domain name of your OpenBMC host
34c6623b6fSZbigniew Kurzynski
35f4febd00SPatrick WilliamsIf you already have certificates you can skip to
36f4febd00SPatrick Williams[Enable TLS authentication ](#Enable-TLS-authentication) or go to
37f4febd00SPatrick Williams[Verify certificates](#Verify-certificates) and check if they meet the above
38f4febd00SPatrick Williamsrequirements.
39c6623b6fSZbigniew Kurzynski
40c6623b6fSZbigniew Kurzynski### Prepare configuration files
41c6623b6fSZbigniew Kurzynski
42f4febd00SPatrick WilliamsTo generate certificates with required parameters some modification must be made
43f4febd00SPatrick Williamsto the default openssl configuration file.
44c6623b6fSZbigniew Kurzynski
45f4febd00SPatrick WilliamsFirst create a new folder named `ca` and create a configuration file using the
46f4febd00SPatrick Williamsdefault configuration as a template (we do not want to change the original one).
47f4febd00SPatrick WilliamsThe location of the configuration file may vary depending on the operating
48f4febd00SPatrick Williamssystem. For Ubuntu it is usually `/usr/lib/ssl/openssl.cnf`, but can also can be
49f4febd00SPatrick Williamsat `/etc/ssl/openssl.cnf`. For Cygwin it might be
50c6623b6fSZbigniew Kurzynski`/etc/defaults/etc/pki/tls/openssl.cnf` or `/etc/pki/tls/openssl.cnf`.
51c6623b6fSZbigniew Kurzynski
52c6623b6fSZbigniew Kurzynski```
53c6623b6fSZbigniew Kurzynskimkdir ~/ca
54c6623b6fSZbigniew Kurzynskicd ~/ca
55c6623b6fSZbigniew Kurzynskicp /usr/lib/ssl/openssl.cnf openssl-client.cnf
56c6623b6fSZbigniew Kurzynski```
57c6623b6fSZbigniew Kurzynski
58f4febd00SPatrick WilliamsThen open the client `~/ca/openssl-client.cnf` file in your favorite editor, for
59f4febd00SPatrick Williamsexample `vi`.
60c6623b6fSZbigniew Kurzynski
61c6623b6fSZbigniew Kurzynski```
62c6623b6fSZbigniew Kurzynskivi ~/ca/openssl-client.cnf
63c6623b6fSZbigniew Kurzynski```
64c6623b6fSZbigniew Kurzynski
65c6623b6fSZbigniew KurzynskiFind the sections listed below and add or choose the presented values.
66c6623b6fSZbigniew Kurzynski
67c6623b6fSZbigniew Kurzynski```
68c6623b6fSZbigniew Kurzynski[ req ]
69c6623b6fSZbigniew Kurzynskireq_extensions = v3_req
70c6623b6fSZbigniew Kurzynski
71c6623b6fSZbigniew Kurzynski[ usr_cert ]
72c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
73c6623b6fSZbigniew Kurzynski
74c6623b6fSZbigniew Kurzynski[ v3_req ]
75c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
76c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
77c6623b6fSZbigniew Kurzynski```
78c6623b6fSZbigniew Kurzynski
79c6623b6fSZbigniew KurzynskiNow create a server configuration `openssl-server.cnf` by copying the client
80c6623b6fSZbigniew Kurzynskifile
81c6623b6fSZbigniew Kurzynski
82c6623b6fSZbigniew Kurzynski```
83c6623b6fSZbigniew Kurzynskicp ~/ca/openssl-client.cnf openssl-server.cnf
84c6623b6fSZbigniew Kurzynski```
85c6623b6fSZbigniew Kurzynski
86c6623b6fSZbigniew Kurzynskiand changing values presented in the sections listed below.
87c6623b6fSZbigniew Kurzynski
88c6623b6fSZbigniew Kurzynski```
89c6623b6fSZbigniew Kurzynski[ usr_cert ]
90c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
91c6623b6fSZbigniew Kurzynski
92c6623b6fSZbigniew Kurzynski[ v3_req ]
93c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
94c6623b6fSZbigniew Kurzynski```
95c6623b6fSZbigniew Kurzynski
96c6623b6fSZbigniew KurzynskiCreate two additional configuration files `myext-client.cnf` and
97f4febd00SPatrick Williams`myext-server.cnf` for the client and server certificates respectively. Without
98f4febd00SPatrick Williamsthese files no extensions are added to the certificate.
99c6623b6fSZbigniew Kurzynski
100c6623b6fSZbigniew Kurzynski```
101c6623b6fSZbigniew Kurzynskicat << END > myext-client.cnf
102c6623b6fSZbigniew Kurzynski[ my_ext_section ]
103c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
104c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
105c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
106c6623b6fSZbigniew KurzynskiEND
107c6623b6fSZbigniew Kurzynski```
108f4febd00SPatrick Williams
109c6623b6fSZbigniew Kurzynski```
110c6623b6fSZbigniew Kurzynskicat << END > myext-server.cnf
111c6623b6fSZbigniew Kurzynski[ my_ext_section ]
112c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
113c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
114c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
115c6623b6fSZbigniew KurzynskiEND
116c6623b6fSZbigniew Kurzynski```
117c6623b6fSZbigniew Kurzynski
118c6623b6fSZbigniew Kurzynski### Create a new CA certificate
119f4febd00SPatrick Williams
120c6623b6fSZbigniew KurzynskiFirst we need to create a private key to sign the CA certificate.
121f4febd00SPatrick Williams
122c6623b6fSZbigniew Kurzynski```
123c6623b6fSZbigniew Kurzynskiopenssl genrsa -out CA-key.pem 2048
124c6623b6fSZbigniew Kurzynski```
125c6623b6fSZbigniew Kurzynski
126f4febd00SPatrick WilliamsNow we can create a CA certificate, using the previously generated key. You will
127f4febd00SPatrick Williamsbe prompted for information which will be incorporated into the certificate,
128f4febd00SPatrick Williamssuch as Country, City, Company Name, etc.
129c6623b6fSZbigniew Kurzynski
130c6623b6fSZbigniew Kurzynski```
131c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
132c6623b6fSZbigniew Kurzynski```
133c6623b6fSZbigniew Kurzynski
134c6623b6fSZbigniew Kurzynski### Create client certificate signed by given CA certificate
135f4febd00SPatrick Williams
136c6623b6fSZbigniew KurzynskiTo create a client certificate, a signing request must be created first. For
137c6623b6fSZbigniew Kurzynskithis another private key will be needed.
138c6623b6fSZbigniew Kurzynski
139c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the certificate signing request:
140f4febd00SPatrick Williams
141c6623b6fSZbigniew Kurzynski```
142c6623b6fSZbigniew Kurzynskiopenssl genrsa -out client-key.pem 2048
143c6623b6fSZbigniew Kurzynski```
144f4febd00SPatrick Williams
145c6623b6fSZbigniew KurzynskiGenerate a certificate signing request.
146c6623b6fSZbigniew Kurzynski
147c6623b6fSZbigniew KurzynskiYou will be prompted for the same information as during CA generation, but
148f4febd00SPatrick Williamsprovide **the OpenBMC system user name** for the `CommonName` attribute of this
149f4febd00SPatrick Williamscertificate. In this example, use **root**.
150c6623b6fSZbigniew Kurzynski
151c6623b6fSZbigniew Kurzynski```
152c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key client-key.pem -out signingReqClient.csr
153c6623b6fSZbigniew Kurzynski```
154c6623b6fSZbigniew Kurzynski
155c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
156c6623b6fSZbigniew Kurzynskicommand:
157f4febd00SPatrick Williams
158c6623b6fSZbigniew Kurzynski```
159c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-client.cnf -days 365 -in signingReqClient.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out client-cert.pem
160c6623b6fSZbigniew Kurzynski```
161f4febd00SPatrick Williams
162c6623b6fSZbigniew KurzynskiThe file `client-cert.pem` now contains a signed client certificate.
163c6623b6fSZbigniew Kurzynski
164c6623b6fSZbigniew Kurzynski### Create server certificate signed by given CA certificate
165f4febd00SPatrick Williams
166f4febd00SPatrick WilliamsFor convenience we will use the same CA generated in paragraph
167f4febd00SPatrick Williams[Create a new CA certificate](#Create-a-new-CA-certificate), although a
168f4febd00SPatrick Williamsdifferent one could be used.
169c6623b6fSZbigniew Kurzynski
170c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the server certificate signing
171c6623b6fSZbigniew Kurzynskirequest:
172f4febd00SPatrick Williams
173c6623b6fSZbigniew Kurzynski```
174c6623b6fSZbigniew Kurzynskiopenssl genrsa -out server-key.pem 2048
175c6623b6fSZbigniew Kurzynski```
176f4febd00SPatrick Williams
177c6623b6fSZbigniew KurzynskiGenerate a certificate signing request. You will be prompted for the same
178f4febd00SPatrick Williamsinformation as during CA generation, but provide **the fully qualified domain
179f4febd00SPatrick Williamsname of your OpenBMC server** for the `CommonName` attribute of this
180f4febd00SPatrick Williamscertificate. In this example it will be `bmc.example.com`. A wildcard can be
181f4febd00SPatrick Williamsused to protect multiple host, for example a certificate configured for
182c6623b6fSZbigniew Kurzynski`*.example.com` will secure www.example.com, as well as mail.example.com,
183c6623b6fSZbigniew Kurzynskiblog.example.com, and others.
184c6623b6fSZbigniew Kurzynski
185c6623b6fSZbigniew Kurzynski```
186c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-server.cnf -key server-key.pem -out signingReqServer.csr
187c6623b6fSZbigniew Kurzynski```
188c6623b6fSZbigniew Kurzynski
189c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
190c6623b6fSZbigniew Kurzynskicommand:
191f4febd00SPatrick Williams
192c6623b6fSZbigniew Kurzynski```
193c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-server.cnf -days 365 -in signingReqServer.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem
194c6623b6fSZbigniew Kurzynski```
195f4febd00SPatrick Williams
19694687a16SPatrick WilliamsThe file `server-cert.pem` now contains a signed server certificate.
197c6623b6fSZbigniew Kurzynski
198c6623b6fSZbigniew Kurzynski### Verify certificates
199f4febd00SPatrick Williams
200c6623b6fSZbigniew KurzynskiTo verify the signing request and both certificates you can use following
201c6623b6fSZbigniew Kurzynskicommands.
202c6623b6fSZbigniew Kurzynski
203c6623b6fSZbigniew Kurzynski```
204c6623b6fSZbigniew Kurzynskiopenssl x509 -in CA-cert.pem -text -noout
205c6623b6fSZbigniew Kurzynskiopenssl x509 -in client-cert.pem -text -noout
206c6623b6fSZbigniew Kurzynskiopenssl x509 -in server-cert.pem -text -noout
207c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqClient.csr -noout -text
208c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqServer.csr -noout -text
209c6623b6fSZbigniew Kurzynski```
210c6623b6fSZbigniew Kurzynski
211c6623b6fSZbigniew KurzynskiBelow are example listings that you can compare with your results. Pay special
212c6623b6fSZbigniew Kurzynskiattention to attributes like:
213f4febd00SPatrick Williams
214f4febd00SPatrick Williams- Validity in both certificates,
215f4febd00SPatrick Williams- `Issuer` in `client-cert.pem`, it must match to `Subject` in `CA-cert.pem`,
216f4febd00SPatrick Williams- Section _X509v3 extensions_ in `client-cert.pem` it should contain proper
217c6623b6fSZbigniew Kurzynski  values,
218f4febd00SPatrick Williams- `Public-Key` length, it cannot be less than 2048 bits.
219f4febd00SPatrick Williams- `Subject` CN in `client-cert.pem`, it should match existing OpemBMC user name.
220c6623b6fSZbigniew Kurzynski  In this example it is **root**.
221f4febd00SPatrick Williams- `Subject` CN in `server-cert.pem`, it should match OpemBMC host name. In this
222f4febd00SPatrick Williams  example it is **bmc.example.com **. (see rfc 3280 4.2.1.11 for name
223f4febd00SPatrick Williams  constraints)
224c6623b6fSZbigniew Kurzynski
225c6623b6fSZbigniew KurzynskiBelow are fragments of generated certificates that you can compare with.
226f4febd00SPatrick Williams
227c6623b6fSZbigniew Kurzynski```
228c6623b6fSZbigniew KurzynskiCA-cert.pem
229c6623b6fSZbigniew Kurzynski    Data:
230c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
231c6623b6fSZbigniew Kurzynski        Serial Number: 16242916899984461675 (0xe16a6edca3c34f6b)
232c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
233c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
234c6623b6fSZbigniew Kurzynski        Validity
235c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:40:48 2020 GMT
236c6623b6fSZbigniew Kurzynski            Not After : Feb  5 11:40:48 2023 GMT
237c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
238c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
239c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
240c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
241c6623b6fSZbigniew Kurzynski                Modulus:
242c6623b6fSZbigniew Kurzynski                    00:d4:24:c1:1d:ac:85:8c:5b:42:e4:f8:a8:d8:7c:
243c6623b6fSZbigniew Kurzynski                    ...
244c6623b6fSZbigniew Kurzynski                    55:83:8b:aa:ac:ac:6e:e3:01:2b:ce:f7:ee:87:21:
245c6623b6fSZbigniew Kurzynski                    f9:2b
246c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
247c6623b6fSZbigniew Kurzynski        X509v3 extensions:
248c6623b6fSZbigniew Kurzynski            X509v3 Subject Key Identifier:
249c6623b6fSZbigniew Kurzynski                ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
250c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
251c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
252c6623b6fSZbigniew Kurzynski
253c6623b6fSZbigniew Kurzynski            X509v3 Basic Constraints:
254c6623b6fSZbigniew Kurzynski                CA:TRUE
255c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
256c6623b6fSZbigniew Kurzynski         cc:8b:61:6a:55:60:2b:26:55:9f:a6:0c:42:b0:47:d4:ec:e0:
257c6623b6fSZbigniew Kurzynski         ...
258c6623b6fSZbigniew Kurzynski         45:47:91:62:10:bd:3e:a8:da:98:33:65:cc:11:23:95:06:1b:
259c6623b6fSZbigniew Kurzynski         ee:d3:78:84
260c6623b6fSZbigniew Kurzynski```
261f4febd00SPatrick Williams
262c6623b6fSZbigniew Kurzynski```
263c6623b6fSZbigniew Kurzynskiclient-cert.pem
264c6623b6fSZbigniew Kurzynski    Data:
265c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
266c6623b6fSZbigniew Kurzynski        Serial Number: 10150871893861973895 (0x8cdf2434b223bf87)
267c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
268c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
269c6623b6fSZbigniew Kurzynski        Validity
270c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:42:58 2020 GMT
271c6623b6fSZbigniew Kurzynski            Not After : May 11 11:42:58 2021 GMT
272c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=root
273c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
274c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
275c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
276c6623b6fSZbigniew Kurzynski                Modulus:
277c6623b6fSZbigniew Kurzynski                    00:cf:d6:d0:a2:09:62:df:e9:a9:b1:e1:3d:7f:2f:
278c6623b6fSZbigniew Kurzynski                    ...
279c6623b6fSZbigniew Kurzynski                    30:7b:48:dc:c5:2c:3f:a9:c0:d1:b6:04:d4:1a:c8:
280c6623b6fSZbigniew Kurzynski                    8a:51
281c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
282c6623b6fSZbigniew Kurzynski        X509v3 extensions:
283c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
284c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
285c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
286c6623b6fSZbigniew Kurzynski                TLS Web Client Authentication
287c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
288c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
289c6623b6fSZbigniew Kurzynski
290c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
291c6623b6fSZbigniew Kurzynski         7f:a4:57:f5:97:48:2a:c4:8e:d3:ef:d8:a1:c9:65:1b:20:fd:
292c6623b6fSZbigniew Kurzynski         ...
293c6623b6fSZbigniew Kurzynski         25:cb:5e:0a:37:fb:a1:ab:b0:c4:62:fe:51:d3:1c:1b:fb:11:
294c6623b6fSZbigniew Kurzynski         56:57:4c:6a
295c6623b6fSZbigniew Kurzynski```
296f4febd00SPatrick Williams
297c6623b6fSZbigniew Kurzynski```
298c6623b6fSZbigniew Kurzynskiserver-cert.pem
299c6623b6fSZbigniew Kurzynski    Data:
300c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
301c6623b6fSZbigniew Kurzynski        Serial Number: 10622848005881387807 (0x936beffaa586db1f)
302c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
303c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
304c6623b6fSZbigniew Kurzynski        Validity
305c6623b6fSZbigniew Kurzynski            Not Before: May 22 13:46:02 2020 GMT
306c6623b6fSZbigniew Kurzynski            Not After : May 22 13:46:02 2021 GMT
307c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
308c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
309c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
310c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
311c6623b6fSZbigniew Kurzynski                Modulus:
312c6623b6fSZbigniew Kurzynski                    00:d9:34:9c:da:83:c6:eb:af:8f:e8:11:56:2a:59:
313c6623b6fSZbigniew Kurzynski                    ...
314c6623b6fSZbigniew Kurzynski                    92:60:09:fc:f9:66:82:d0:27:03:44:2f:9d:6d:c0:
315c6623b6fSZbigniew Kurzynski                    a5:6d
316c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
317c6623b6fSZbigniew Kurzynski        X509v3 extensions:
318c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
319c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
320c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
321c6623b6fSZbigniew Kurzynski                TLS Web Server Authentication
322c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
323c6623b6fSZbigniew Kurzynski                keyid:5B:1D:0E:76:CC:54:B8:BF:AE:46:10:43:6F:79:0B:CA:14:5C:E0:90
324c6623b6fSZbigniew Kurzynski
325c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
326c6623b6fSZbigniew Kurzynski         bf:41:e2:2f:87:44:25:d8:54:9c:4e:dc:cc:b3:f9:af:5a:a3:
327c6623b6fSZbigniew Kurzynski         ...
328c6623b6fSZbigniew Kurzynski         ef:0f:90:a6
329c6623b6fSZbigniew Kurzynski
330c6623b6fSZbigniew Kurzynski```
331c6623b6fSZbigniew Kurzynski
332c6623b6fSZbigniew Kurzynski## Installing CA certificate on OpenBMC
333c6623b6fSZbigniew Kurzynski
334c6623b6fSZbigniew KurzynskiThe CA certificate can be installed via Redfish Service. The file `CA-cert.pem`
335f4febd00SPatrick Williamscan not be uploaded directly but must be sent embedded in a valid JSON string,
336f4febd00SPatrick Williamswhich requires `\`, `"`, and control characters must be escaped. This means all
337f4febd00SPatrick Williamscontent is placed in a single string on a single line by encoding the line
338f4febd00SPatrick Williamsendings as `\n`. The command below prepares a whole POST body and puts it into a
339f4febd00SPatrick Williamsfile named: `install_ca.json`.
340c6623b6fSZbigniew Kurzynski
341c6623b6fSZbigniew Kurzynski```
342c6623b6fSZbigniew Kurzynskicat << END > install_ca.json
343c6623b6fSZbigniew Kurzynski{
344c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat CA-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
345c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
346c6623b6fSZbigniew Kurzynski}
347c6623b6fSZbigniew KurzynskiEND
348c6623b6fSZbigniew Kurzynski```
349c6623b6fSZbigniew Kurzynski
350c6623b6fSZbigniew KurzynskiTo install the CA certificate on the OpenBMC server post the content of
351c6623b6fSZbigniew Kurzynski`install_ca.json` with this command:
352c6623b6fSZbigniew Kurzynski
353f4febd00SPatrick WilliamsWhere `${bmc}` should be `bmc.example.com`. It is convenient to export it as an
354f4febd00SPatrick Williamsenvironment variable.
355c6623b6fSZbigniew Kurzynski
356c6623b6fSZbigniew Kurzynski```
3571b2e9272SGunnar Millscurl --user root:0penBmc -d @install_ca.json -k -H "Content-Type: application/json" -X POST https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
358c6623b6fSZbigniew Kurzynski
359c6623b6fSZbigniew Kurzynski```
360c6623b6fSZbigniew Kurzynski
361c6623b6fSZbigniew KurzynskiCredentials `root:0penBmc` can be replaced with any system user name and
362c6623b6fSZbigniew Kurzynskipassword of your choice but with proper access rights to resources used here.
363c6623b6fSZbigniew Kurzynski
364f4febd00SPatrick WilliamsAfter successful certificate installation you should get positive HTTP response
365f4febd00SPatrick Williamsand a new certificate should be available under this resource collection.
366c6623b6fSZbigniew Kurzynski
367c6623b6fSZbigniew Kurzynski```
368c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
369c6623b6fSZbigniew Kurzynski
370c6623b6fSZbigniew Kurzynski```
371c6623b6fSZbigniew Kurzynski
372f4febd00SPatrick WilliamsAn auto-generated self-signed server certificate is already present on OpenBMC
373f4febd00SPatrick Williamsby default. To use the certificate signed by our CA it must be replaced.
374f4febd00SPatrick WilliamsAdditionally we must upload to OpenBMC the private key that was used to sign the
375f4febd00SPatrick Williamsserver certificate. A proper message mody can be prepared the with this command:
376c6623b6fSZbigniew Kurzynski
377c6623b6fSZbigniew Kurzynski```
378c6623b6fSZbigniew Kurzynskicat << END > replace_cert.json
379c6623b6fSZbigniew Kurzynski{
380c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat server-key.pem server-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
381c6623b6fSZbigniew Kurzynski   "CertificateUri":
382c6623b6fSZbigniew Kurzynski   {
383c6623b6fSZbigniew Kurzynski      "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
384c6623b6fSZbigniew Kurzynski   },
385c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
386c6623b6fSZbigniew Kurzynski}
387c6623b6fSZbigniew KurzynskiEND
388c6623b6fSZbigniew Kurzynski```
389c6623b6fSZbigniew Kurzynski
390c6623b6fSZbigniew KurzynskiTo replace the server certificate on the OpenBMC server post the content of
391c6623b6fSZbigniew Kurzynski`replace_cert.json` with this command:
392c6623b6fSZbigniew Kurzynski
393c6623b6fSZbigniew Kurzynski```
3941b2e9272SGunnar Millscurl --user root:0penBmc -d @replace_cert.json -k -H "Content-Type: application/json" -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
395c6623b6fSZbigniew Kurzynski
396c6623b6fSZbigniew Kurzynski```
397c6623b6fSZbigniew Kurzynski
398c6623b6fSZbigniew Kurzynski## Enable TLS authentication
399c6623b6fSZbigniew Kurzynski
400c6623b6fSZbigniew KurzynskiTo check current state of the TLS authentication method use this command:
401c6623b6fSZbigniew Kurzynski
402c6623b6fSZbigniew Kurzynski```
403c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/AccountService
404c6623b6fSZbigniew Kurzynski```
405f4febd00SPatrick Williams
406c6623b6fSZbigniew Kurzynskiand verify that the attribute `Oem->OpenBMC->AuthMethods->TLS` is set to true.
407c6623b6fSZbigniew Kurzynski
408c6623b6fSZbigniew KurzynskiTo enable TLS authentication use this command:
409c6623b6fSZbigniew Kurzynski
410c6623b6fSZbigniew Kurzynski```
411*735d3187SGunnar Millscurl --user root:0penBmc  -k -X PATCH -H "Content-Type: application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": true} } } }' https://${bmc}/redfish/v1/AccountService
412c6623b6fSZbigniew Kurzynski```
413c6623b6fSZbigniew Kurzynski
414c6623b6fSZbigniew KurzynskiTo disable TLS authentication use this command:
415c6623b6fSZbigniew Kurzynski
416c6623b6fSZbigniew Kurzynski```
417*735d3187SGunnar Millscurl --user root:0penBmc  -k -X PATCH -H "Content-Type: application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": false} } } }' https://${bmc}/redfish/v1/AccountService
418c6623b6fSZbigniew Kurzynski```
419c6623b6fSZbigniew Kurzynski
420c6623b6fSZbigniew KurzynskiOther authentication methods like basic authentication can be enabled or
421f4febd00SPatrick Williamsdisabled as well using the same mechanism. All supported authentication methods
422f4febd00SPatrick Williamsare available under attribute `Oem->OpenBMC->AuthMethods` of the
423c6623b6fSZbigniew Kurzynski`/redfish/v1/AccountService` resource.
424c6623b6fSZbigniew Kurzynski
425c6623b6fSZbigniew Kurzynski## Using TLS to access OpenBMC resources
426c6623b6fSZbigniew Kurzynski
427f4febd00SPatrick WilliamsIf TLS is enabled, valid CA certificate was uploaded and the server certificate
428f4febd00SPatrick Williamswas replaced it should be possible to execute curl requests using only client
429f4febd00SPatrick Williamscertificate, key, and CA like below.
430c6623b6fSZbigniew Kurzynski
431c6623b6fSZbigniew Kurzynski```
432c6623b6fSZbigniew Kurzynskicurl --cert client-cert.pem --key client-key.pem -vvv --cacert CA-cert.pem https://${bmc}/redfish/v1/SessionService/Sessions
433c6623b6fSZbigniew Kurzynski```
434f4febd00SPatrick Williams
435c6623b6fSZbigniew Kurzynski## Common mistakes during TLS configuration
436c6623b6fSZbigniew Kurzynski
437f4febd00SPatrick Williams- Invalid date and time on OpenBMC,
438c6623b6fSZbigniew Kurzynski
439f4febd00SPatrick Williams- Testing Redfish resources, like `https://${bmc}/redfish/v1` which are always
440f4febd00SPatrick Williams  available without any authentication will always result with success, even
441f4febd00SPatrick Williams  when TLS is disabled or certificates are invalid.
442c6623b6fSZbigniew Kurzynski
443f4febd00SPatrick Williams- Certificates do not meet the requirements. See paragraphs
444c6623b6fSZbigniew Kurzynski  [Verify certificates](#Verify-certificates).
445c6623b6fSZbigniew Kurzynski
446f4febd00SPatrick Williams- Attempting to load the same certificate twice will end up with an error.
447b685fd04SJohn Edward Broadbent
448f4febd00SPatrick Williams- Not having phosphor-bmcweb-cert-config in the build.
449