xref: /openbmc/docs/security/TLS-configuration.md (revision b685fd0469d59172df50ade7b4658673ba6d5312) 
1c6623b6fSZbigniew Kurzynski# How to configure the server TLS certificates for authentication
2c6623b6fSZbigniew KurzynskiAuthor:
3c6623b6fSZbigniew Kurzynski  Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
4c6623b6fSZbigniew Kurzynski
5c6623b6fSZbigniew KurzynskiCreated:
6c6623b6fSZbigniew Kurzynski  May 8, 2020
7c6623b6fSZbigniew Kurzynski
8c6623b6fSZbigniew KurzynskiRelated documents:
9c6623b6fSZbigniew Kurzynski* [Redfish TLS User Authentication](https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md)
10c6623b6fSZbigniew Kurzynski
11c6623b6fSZbigniew Kurzynski## Introduction
12c6623b6fSZbigniew KurzynskiWith help of this guidebook you should be able to create both client and
13c6623b6fSZbigniew Kurzynskiserver certificates signed by a CA that can be used to authenticate user
14c6623b6fSZbigniew Kurzynskirequests to an OpenBMC server. You will also learn how to enable and test
15c6623b6fSZbigniew Kurzynskithe OpenBMC TLS authentication.
16c6623b6fSZbigniew Kurzynski
17c6623b6fSZbigniew Kurzynski## Certificates
18c6623b6fSZbigniew KurzynskiFor a certificate to be marked as valid, it (and every certificate in the
19c6623b6fSZbigniew Kurzynskichain) has to meet these conditions:
20c6623b6fSZbigniew Kurzynski
21c6623b6fSZbigniew Kurzynski* `KeyUsage` contains required purpose `digitalSignature` and `keyAgreement`
22c6623b6fSZbigniew Kurzynski(see rfc 3280 4.2.1.3)
23c6623b6fSZbigniew Kurzynski* `ExtendedKeyUsage` contains required purpose `clientAuth` for client
24c6623b6fSZbigniew Kurzynskicertificate and `serverAuth` for server certificate (see rfc 3280 4.2.1.13)
25c6623b6fSZbigniew Kurzynski* public key meets minimal bit length requirement
26c6623b6fSZbigniew Kurzynski* certificate has to be in its validity period
27c6623b6fSZbigniew Kurzynski* `notBefore` and `notAfter` fields have to contain valid time
28c6623b6fSZbigniew Kurzynski* has to be properly signed by certificate authority
29c6623b6fSZbigniew Kurzynski* certificate is well-formed according to X.509
30c6623b6fSZbigniew Kurzynski* issuer name has to match CA's subject name for client certificate
31c6623b6fSZbigniew Kurzynski* issuer name has to match the fully qualified domain name of your OpenBMC
32c6623b6fSZbigniew Kurzynskihost
33c6623b6fSZbigniew Kurzynski
34c6623b6fSZbigniew KurzynskiIf you already have certificates you can skip to [Enable TLS authentication
35c6623b6fSZbigniew Kurzynski](#Enable-TLS-authentication) or go to [Verify certificates](#Verify-certificates)
36c6623b6fSZbigniew Kurzynskiand check if they meet the above requirements.
37c6623b6fSZbigniew Kurzynski
38c6623b6fSZbigniew Kurzynski### Prepare configuration files
39c6623b6fSZbigniew Kurzynski
40c6623b6fSZbigniew KurzynskiTo generate certificates with required parameters some modification must be
41c6623b6fSZbigniew Kurzynskimade to the default openssl configuration file.
42c6623b6fSZbigniew Kurzynski
43c6623b6fSZbigniew KurzynskiFirst create a new folder named `ca` and create a configuration file using
44c6623b6fSZbigniew Kurzynskithe default configuration as a template (we do not want to change the
45c6623b6fSZbigniew Kurzynskioriginal one). The location of the configuration file may vary depending on
46c6623b6fSZbigniew Kurzynskithe operating system. For Ubuntu it is usually `/usr/lib/ssl/openssl.cnf`,
47c6623b6fSZbigniew Kurzynskibut can also can be at `/etc/ssl/openssl.cnf`. For Cygwin it might be
48c6623b6fSZbigniew Kurzynski`/etc/defaults/etc/pki/tls/openssl.cnf` or `/etc/pki/tls/openssl.cnf`.
49c6623b6fSZbigniew Kurzynski
50c6623b6fSZbigniew Kurzynski```
51c6623b6fSZbigniew Kurzynskimkdir ~/ca
52c6623b6fSZbigniew Kurzynskicd ~/ca
53c6623b6fSZbigniew Kurzynskicp /usr/lib/ssl/openssl.cnf openssl-client.cnf
54c6623b6fSZbigniew Kurzynski```
55c6623b6fSZbigniew Kurzynski
56c6623b6fSZbigniew KurzynskiThen open the client `~/ca/openssl-client.cnf` file in your favorite editor,
57c6623b6fSZbigniew Kurzynskifor example `vi`.
58c6623b6fSZbigniew Kurzynski
59c6623b6fSZbigniew Kurzynski```
60c6623b6fSZbigniew Kurzynskivi ~/ca/openssl-client.cnf
61c6623b6fSZbigniew Kurzynski```
62c6623b6fSZbigniew Kurzynski
63c6623b6fSZbigniew KurzynskiFind the sections listed below and add or choose the presented values.
64c6623b6fSZbigniew Kurzynski
65c6623b6fSZbigniew Kurzynski```
66c6623b6fSZbigniew Kurzynski[ req ]
67c6623b6fSZbigniew Kurzynskireq_extensions = v3_req
68c6623b6fSZbigniew Kurzynski
69c6623b6fSZbigniew Kurzynski[ usr_cert ]
70c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
71c6623b6fSZbigniew Kurzynski
72c6623b6fSZbigniew Kurzynski[ v3_req ]
73c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
74c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
75c6623b6fSZbigniew Kurzynski```
76c6623b6fSZbigniew Kurzynski
77c6623b6fSZbigniew KurzynskiNow create a server configuration `openssl-server.cnf` by copying the client
78c6623b6fSZbigniew Kurzynskifile
79c6623b6fSZbigniew Kurzynski
80c6623b6fSZbigniew Kurzynski```
81c6623b6fSZbigniew Kurzynskicp ~/ca/openssl-client.cnf openssl-server.cnf
82c6623b6fSZbigniew Kurzynski```
83c6623b6fSZbigniew Kurzynski
84c6623b6fSZbigniew Kurzynskiand changing values presented in the sections listed below.
85c6623b6fSZbigniew Kurzynski
86c6623b6fSZbigniew Kurzynski```
87c6623b6fSZbigniew Kurzynski[ usr_cert ]
88c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
89c6623b6fSZbigniew Kurzynski
90c6623b6fSZbigniew Kurzynski[ v3_req ]
91c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
92c6623b6fSZbigniew Kurzynski```
93c6623b6fSZbigniew Kurzynski
94c6623b6fSZbigniew KurzynskiCreate two additional configuration files `myext-client.cnf` and
95c6623b6fSZbigniew Kurzynski`myext-server.cnf` for the client and server certificates respectively.
96c6623b6fSZbigniew KurzynskiWithout these files no extensions are added to the certificate.
97c6623b6fSZbigniew Kurzynski
98c6623b6fSZbigniew Kurzynski```
99c6623b6fSZbigniew Kurzynskicat << END > myext-client.cnf
100c6623b6fSZbigniew Kurzynski[ my_ext_section ]
101c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
102c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
103c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
104c6623b6fSZbigniew KurzynskiEND
105c6623b6fSZbigniew Kurzynski```
106c6623b6fSZbigniew Kurzynski```
107c6623b6fSZbigniew Kurzynskicat << END > myext-server.cnf
108c6623b6fSZbigniew Kurzynski[ my_ext_section ]
109c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
110c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
111c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
112c6623b6fSZbigniew KurzynskiEND
113c6623b6fSZbigniew Kurzynski```
114c6623b6fSZbigniew Kurzynski
115c6623b6fSZbigniew Kurzynski### Create a new CA certificate
116c6623b6fSZbigniew KurzynskiFirst we need to create a private key to sign the CA certificate.
117c6623b6fSZbigniew Kurzynski```
118c6623b6fSZbigniew Kurzynskiopenssl genrsa -out CA-key.pem 2048
119c6623b6fSZbigniew Kurzynski```
120c6623b6fSZbigniew Kurzynski
121c6623b6fSZbigniew KurzynskiNow we can create a CA certificate, using the previously generated key.
122c6623b6fSZbigniew KurzynskiYou will be prompted for information which will be incorporated into the
123c6623b6fSZbigniew Kurzynskicertificate, such as Country, City, Company Name, etc.
124c6623b6fSZbigniew Kurzynski
125c6623b6fSZbigniew Kurzynski```
126c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
127c6623b6fSZbigniew Kurzynski```
128c6623b6fSZbigniew Kurzynski
129c6623b6fSZbigniew Kurzynski### Create client certificate signed by given CA certificate
130c6623b6fSZbigniew KurzynskiTo create a client certificate, a signing request must be created first. For
131c6623b6fSZbigniew Kurzynskithis another private key will be needed.
132c6623b6fSZbigniew Kurzynski
133c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the certificate signing request:
134c6623b6fSZbigniew Kurzynski```
135c6623b6fSZbigniew Kurzynskiopenssl genrsa -out client-key.pem 2048
136c6623b6fSZbigniew Kurzynski```
137c6623b6fSZbigniew KurzynskiGenerate a certificate signing request.
138c6623b6fSZbigniew Kurzynski
139c6623b6fSZbigniew KurzynskiYou will be prompted for the same information as during CA generation, but
140c6623b6fSZbigniew Kurzynskiprovide **the OpenBMC system user name**  for the `CommonName` attribute of
141c6623b6fSZbigniew Kurzynskithis certificate.  In this example, use **root**.
142c6623b6fSZbigniew Kurzynski
143c6623b6fSZbigniew Kurzynski```
144c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key client-key.pem -out signingReqClient.csr
145c6623b6fSZbigniew Kurzynski```
146c6623b6fSZbigniew Kurzynski
147c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
148c6623b6fSZbigniew Kurzynskicommand:
149c6623b6fSZbigniew Kurzynski```
150c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-client.cnf -days 365 -in signingReqClient.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out client-cert.pem
151c6623b6fSZbigniew Kurzynski```
152c6623b6fSZbigniew KurzynskiThe file `client-cert.pem` now contains a signed client certificate.
153c6623b6fSZbigniew Kurzynski
154c6623b6fSZbigniew Kurzynski### Create server certificate signed by given CA certificate
155c6623b6fSZbigniew KurzynskiFor convenience we will use the same CA generated in paragraph [Create a new
156c6623b6fSZbigniew KurzynskiCA certificate](#Create-a-new-CA-certificate), although a different one could
157c6623b6fSZbigniew Kurzynskibe used.
158c6623b6fSZbigniew Kurzynski
159c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the server certificate signing
160c6623b6fSZbigniew Kurzynskirequest:
161c6623b6fSZbigniew Kurzynski```
162c6623b6fSZbigniew Kurzynskiopenssl genrsa -out server-key.pem 2048
163c6623b6fSZbigniew Kurzynski```
164c6623b6fSZbigniew KurzynskiGenerate a certificate signing request. You will be prompted for the same
165c6623b6fSZbigniew Kurzynskiinformation as during CA generation, but provide **the fully qualified
166c6623b6fSZbigniew Kurzynskidomain name of your OpenBMC server** for the `CommonName` attribute of this
167c6623b6fSZbigniew Kurzynskicertificate. In this example it will be `bmc.example.com`. A wildcard can
168c6623b6fSZbigniew Kurzynskibe used to protect multiple host, for example a certificate configured for
169c6623b6fSZbigniew Kurzynski`*.example.com` will secure www.example.com, as well as mail.example.com,
170c6623b6fSZbigniew Kurzynskiblog.example.com, and others.
171c6623b6fSZbigniew Kurzynski
172c6623b6fSZbigniew Kurzynski```
173c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-server.cnf -key server-key.pem -out signingReqServer.csr
174c6623b6fSZbigniew Kurzynski```
175c6623b6fSZbigniew Kurzynski
176c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
177c6623b6fSZbigniew Kurzynskicommand:
178c6623b6fSZbigniew Kurzynski```
179c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-server.cnf -days 365 -in signingReqServer.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem
180c6623b6fSZbigniew Kurzynski```
181c6623b6fSZbigniew KurzynskiThe file `server-cert.pem` now contains a signed client certificate.
182c6623b6fSZbigniew Kurzynski
183c6623b6fSZbigniew Kurzynski### Verify certificates
184c6623b6fSZbigniew KurzynskiTo verify the signing request and both certificates you can use following
185c6623b6fSZbigniew Kurzynskicommands.
186c6623b6fSZbigniew Kurzynski
187c6623b6fSZbigniew Kurzynski```
188c6623b6fSZbigniew Kurzynskiopenssl x509 -in CA-cert.pem -text -noout
189c6623b6fSZbigniew Kurzynskiopenssl x509 -in client-cert.pem -text -noout
190c6623b6fSZbigniew Kurzynskiopenssl x509 -in server-cert.pem -text -noout
191c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqClient.csr -noout -text
192c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqServer.csr -noout -text
193c6623b6fSZbigniew Kurzynski```
194c6623b6fSZbigniew Kurzynski
195c6623b6fSZbigniew KurzynskiBelow are example listings that you can compare with your results. Pay special
196c6623b6fSZbigniew Kurzynskiattention to attributes like:
197c6623b6fSZbigniew Kurzynski * Validity in both certificates,
198c6623b6fSZbigniew Kurzynski * `Issuer` in `client-cert.pem`, it must match to `Subject` in `CA-cert.pem`,
199c6623b6fSZbigniew Kurzynski * Section *X509v3 extensions* in `client-cert.pem` it should contain proper
200c6623b6fSZbigniew Kurzynskivalues,
201c6623b6fSZbigniew Kurzynski * `Public-Key` length, it cannot be less than 2048 bits.
202c6623b6fSZbigniew Kurzynski * `Subject` CN in `client-cert.pem`, it should match existing OpemBMC user
203c6623b6fSZbigniew Kurzynskiname.
204c6623b6fSZbigniew KurzynskiIn this example it is **root**.
205c6623b6fSZbigniew Kurzynski * `Subject` CN in `server-cert.pem`, it should match OpemBMC host name.
206c6623b6fSZbigniew KurzynskiIn this example it is **bmc.example.com **. (see rfc 3280
207c6623b6fSZbigniew Kurzynski4.2.1.11 for name constraints)
208c6623b6fSZbigniew Kurzynski
209c6623b6fSZbigniew KurzynskiBelow are fragments of generated certificates that you can compare with.
210c6623b6fSZbigniew Kurzynski```
211c6623b6fSZbigniew KurzynskiCA-cert.pem
212c6623b6fSZbigniew Kurzynski    Data:
213c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
214c6623b6fSZbigniew Kurzynski        Serial Number: 16242916899984461675 (0xe16a6edca3c34f6b)
215c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
216c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
217c6623b6fSZbigniew Kurzynski        Validity
218c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:40:48 2020 GMT
219c6623b6fSZbigniew Kurzynski            Not After : Feb  5 11:40:48 2023 GMT
220c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
221c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
222c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
223c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
224c6623b6fSZbigniew Kurzynski                Modulus:
225c6623b6fSZbigniew Kurzynski                    00:d4:24:c1:1d:ac:85:8c:5b:42:e4:f8:a8:d8:7c:
226c6623b6fSZbigniew Kurzynski                    ...
227c6623b6fSZbigniew Kurzynski                    55:83:8b:aa:ac:ac:6e:e3:01:2b:ce:f7:ee:87:21:
228c6623b6fSZbigniew Kurzynski                    f9:2b
229c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
230c6623b6fSZbigniew Kurzynski        X509v3 extensions:
231c6623b6fSZbigniew Kurzynski            X509v3 Subject Key Identifier:
232c6623b6fSZbigniew Kurzynski                ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
233c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
234c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
235c6623b6fSZbigniew Kurzynski
236c6623b6fSZbigniew Kurzynski            X509v3 Basic Constraints:
237c6623b6fSZbigniew Kurzynski                CA:TRUE
238c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
239c6623b6fSZbigniew Kurzynski         cc:8b:61:6a:55:60:2b:26:55:9f:a6:0c:42:b0:47:d4:ec:e0:
240c6623b6fSZbigniew Kurzynski         ...
241c6623b6fSZbigniew Kurzynski         45:47:91:62:10:bd:3e:a8:da:98:33:65:cc:11:23:95:06:1b:
242c6623b6fSZbigniew Kurzynski         ee:d3:78:84
243c6623b6fSZbigniew Kurzynski```
244c6623b6fSZbigniew Kurzynski```
245c6623b6fSZbigniew Kurzynskiclient-cert.pem
246c6623b6fSZbigniew Kurzynski    Data:
247c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
248c6623b6fSZbigniew Kurzynski        Serial Number: 10150871893861973895 (0x8cdf2434b223bf87)
249c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
250c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
251c6623b6fSZbigniew Kurzynski        Validity
252c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:42:58 2020 GMT
253c6623b6fSZbigniew Kurzynski            Not After : May 11 11:42:58 2021 GMT
254c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=root
255c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
256c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
257c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
258c6623b6fSZbigniew Kurzynski                Modulus:
259c6623b6fSZbigniew Kurzynski                    00:cf:d6:d0:a2:09:62:df:e9:a9:b1:e1:3d:7f:2f:
260c6623b6fSZbigniew Kurzynski                    ...
261c6623b6fSZbigniew Kurzynski                    30:7b:48:dc:c5:2c:3f:a9:c0:d1:b6:04:d4:1a:c8:
262c6623b6fSZbigniew Kurzynski                    8a:51
263c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
264c6623b6fSZbigniew Kurzynski        X509v3 extensions:
265c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
266c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
267c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
268c6623b6fSZbigniew Kurzynski                TLS Web Client Authentication
269c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
270c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
271c6623b6fSZbigniew Kurzynski
272c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
273c6623b6fSZbigniew Kurzynski         7f:a4:57:f5:97:48:2a:c4:8e:d3:ef:d8:a1:c9:65:1b:20:fd:
274c6623b6fSZbigniew Kurzynski         ...
275c6623b6fSZbigniew Kurzynski         25:cb:5e:0a:37:fb:a1:ab:b0:c4:62:fe:51:d3:1c:1b:fb:11:
276c6623b6fSZbigniew Kurzynski         56:57:4c:6a
277c6623b6fSZbigniew Kurzynski```
278c6623b6fSZbigniew Kurzynski```
279c6623b6fSZbigniew Kurzynskiserver-cert.pem
280c6623b6fSZbigniew Kurzynski    Data:
281c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
282c6623b6fSZbigniew Kurzynski        Serial Number: 10622848005881387807 (0x936beffaa586db1f)
283c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
284c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
285c6623b6fSZbigniew Kurzynski        Validity
286c6623b6fSZbigniew Kurzynski            Not Before: May 22 13:46:02 2020 GMT
287c6623b6fSZbigniew Kurzynski            Not After : May 22 13:46:02 2021 GMT
288c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
289c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
290c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
291c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
292c6623b6fSZbigniew Kurzynski                Modulus:
293c6623b6fSZbigniew Kurzynski                    00:d9:34:9c:da:83:c6:eb:af:8f:e8:11:56:2a:59:
294c6623b6fSZbigniew Kurzynski                    ...
295c6623b6fSZbigniew Kurzynski                    92:60:09:fc:f9:66:82:d0:27:03:44:2f:9d:6d:c0:
296c6623b6fSZbigniew Kurzynski                    a5:6d
297c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
298c6623b6fSZbigniew Kurzynski        X509v3 extensions:
299c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
300c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
301c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
302c6623b6fSZbigniew Kurzynski                TLS Web Server Authentication
303c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
304c6623b6fSZbigniew Kurzynski                keyid:5B:1D:0E:76:CC:54:B8:BF:AE:46:10:43:6F:79:0B:CA:14:5C:E0:90
305c6623b6fSZbigniew Kurzynski
306c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
307c6623b6fSZbigniew Kurzynski         bf:41:e2:2f:87:44:25:d8:54:9c:4e:dc:cc:b3:f9:af:5a:a3:
308c6623b6fSZbigniew Kurzynski         ...
309c6623b6fSZbigniew Kurzynski         ef:0f:90:a6
310c6623b6fSZbigniew Kurzynski
311c6623b6fSZbigniew Kurzynski```
312c6623b6fSZbigniew Kurzynski
313c6623b6fSZbigniew Kurzynski## Installing CA certificate on OpenBMC
314c6623b6fSZbigniew Kurzynski
315c6623b6fSZbigniew KurzynskiThe CA certificate can be installed via Redfish Service. The file `CA-cert.pem`
316c6623b6fSZbigniew Kurzynskican not be uploaded directly but must be sent embedded in a valid JSON
317c6623b6fSZbigniew Kurzynskistring, which requires `\`, `"`, and control characters must be escaped.
318c6623b6fSZbigniew KurzynskiThis means all content is placed in a single string on a single line by
319c6623b6fSZbigniew Kurzynskiencoding the line endings as `\n`. The command below prepares a whole POST
320c6623b6fSZbigniew Kurzynskibody and puts it into a file named: `install_ca.json`.
321c6623b6fSZbigniew Kurzynski
322c6623b6fSZbigniew Kurzynski```
323c6623b6fSZbigniew Kurzynskicat << END > install_ca.json
324c6623b6fSZbigniew Kurzynski{
325c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat CA-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
326c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
327c6623b6fSZbigniew Kurzynski}
328c6623b6fSZbigniew KurzynskiEND
329c6623b6fSZbigniew Kurzynski```
330c6623b6fSZbigniew Kurzynski
331c6623b6fSZbigniew KurzynskiTo install the CA certificate on the OpenBMC server post the content of
332c6623b6fSZbigniew Kurzynski`install_ca.json` with this command:
333c6623b6fSZbigniew Kurzynski
334c6623b6fSZbigniew KurzynskiWhere `${bmc}` should be `bmc.example.com`. It is convenient to export it
335c6623b6fSZbigniew Kurzynskias an environment variable.
336c6623b6fSZbigniew Kurzynski
337c6623b6fSZbigniew Kurzynski```
338c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @install_ca.json -k -X POST https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
339c6623b6fSZbigniew Kurzynski
340c6623b6fSZbigniew Kurzynski```
341c6623b6fSZbigniew Kurzynski
342c6623b6fSZbigniew KurzynskiCredentials `root:0penBmc` can be replaced with any system user name and
343c6623b6fSZbigniew Kurzynskipassword of your choice but with proper access rights to resources used here.
344c6623b6fSZbigniew Kurzynski
345c6623b6fSZbigniew Kurzynski
346c6623b6fSZbigniew KurzynskiAfter successful certificate installation you should get positive HTTP
347c6623b6fSZbigniew Kurzynskiresponse and a new certificate should be available under this resource
348c6623b6fSZbigniew Kurzynskicollection.
349c6623b6fSZbigniew Kurzynski```
350c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
351c6623b6fSZbigniew Kurzynski
352c6623b6fSZbigniew Kurzynski```
353c6623b6fSZbigniew Kurzynski
354c6623b6fSZbigniew KurzynskiAn auto-generated self-signed server certificate is already present on
355c6623b6fSZbigniew KurzynskiOpenBMC by default. To use the certificate signed by our CA it must be
356c6623b6fSZbigniew Kurzynskireplaced. Additionally we must upload to OpenBMC the private key that was
357c6623b6fSZbigniew Kurzynskiused to sign the server certificate. A proper message mody can be prepared
358c6623b6fSZbigniew Kurzynskithe with this command:
359c6623b6fSZbigniew Kurzynski
360c6623b6fSZbigniew Kurzynski```
361c6623b6fSZbigniew Kurzynskicat << END > replace_cert.json
362c6623b6fSZbigniew Kurzynski{
363c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat server-key.pem server-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
364c6623b6fSZbigniew Kurzynski   "CertificateUri":
365c6623b6fSZbigniew Kurzynski   {
366c6623b6fSZbigniew Kurzynski      "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
367c6623b6fSZbigniew Kurzynski   },
368c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
369c6623b6fSZbigniew Kurzynski}
370c6623b6fSZbigniew KurzynskiEND
371c6623b6fSZbigniew Kurzynski```
372c6623b6fSZbigniew Kurzynski
373c6623b6fSZbigniew KurzynskiTo replace the server certificate on the OpenBMC server post the content of
374c6623b6fSZbigniew Kurzynski`replace_cert.json` with this command:
375c6623b6fSZbigniew Kurzynski
376c6623b6fSZbigniew Kurzynski```
377c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @replace_cert.json -k -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
378c6623b6fSZbigniew Kurzynski
379c6623b6fSZbigniew Kurzynski```
380c6623b6fSZbigniew Kurzynski
381c6623b6fSZbigniew Kurzynski## Enable TLS authentication
382c6623b6fSZbigniew Kurzynski
383c6623b6fSZbigniew KurzynskiTo check current state of the TLS authentication method use this command:
384c6623b6fSZbigniew Kurzynski
385c6623b6fSZbigniew Kurzynski```
386c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/AccountService
387c6623b6fSZbigniew Kurzynski```
388c6623b6fSZbigniew Kurzynskiand verify that the attribute `Oem->OpenBMC->AuthMethods->TLS` is set to true.
389c6623b6fSZbigniew Kurzynski
390c6623b6fSZbigniew KurzynskiTo enable TLS authentication use this command:
391c6623b6fSZbigniew Kurzynski
392c6623b6fSZbigniew Kurzynski```
393c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc  -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": true} } } }' https://${bmc}/redfish/v1/AccountService
394c6623b6fSZbigniew Kurzynski```
395c6623b6fSZbigniew Kurzynski
396c6623b6fSZbigniew KurzynskiTo disable TLS authentication use this command:
397c6623b6fSZbigniew Kurzynski
398c6623b6fSZbigniew Kurzynski```
399c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc  -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": false} } } }' https://${bmc}/redfish/v1/AccountService
400c6623b6fSZbigniew Kurzynski```
401c6623b6fSZbigniew Kurzynski
402c6623b6fSZbigniew KurzynskiOther authentication methods like basic authentication can be enabled or
403c6623b6fSZbigniew Kurzynskidisabled as well using the same mechanism. All supported authentication
404c6623b6fSZbigniew Kurzynskimethods are available under attribute `Oem->OpenBMC->AuthMethods` of the
405c6623b6fSZbigniew Kurzynski`/redfish/v1/AccountService` resource.
406c6623b6fSZbigniew Kurzynski
407c6623b6fSZbigniew Kurzynski## Using TLS to access OpenBMC resources
408c6623b6fSZbigniew Kurzynski
409c6623b6fSZbigniew KurzynskiIf TLS is enabled, valid CA certificate was uploaded and the server
410c6623b6fSZbigniew Kurzynskicertificate was replaced it should be possible to execute curl requests
411c6623b6fSZbigniew Kurzynskiusing only client certificate, key, and CA like below.
412c6623b6fSZbigniew Kurzynski
413c6623b6fSZbigniew Kurzynski```
414c6623b6fSZbigniew Kurzynskicurl --cert client-cert.pem --key client-key.pem -vvv --cacert CA-cert.pem https://${bmc}/redfish/v1/SessionService/Sessions
415c6623b6fSZbigniew Kurzynski```
416c6623b6fSZbigniew Kurzynski## Common mistakes during TLS configuration
417c6623b6fSZbigniew Kurzynski
418c6623b6fSZbigniew Kurzynski* Invalid date and time on OpenBMC,
419c6623b6fSZbigniew Kurzynski
420c6623b6fSZbigniew Kurzynski* Testing Redfish resources, like `https://${bmc}/redfish/v1` which are
421c6623b6fSZbigniew Kurzynskialways available without any authentication will always result with success,
422c6623b6fSZbigniew Kurzynskieven when TLS is disabled or certificates are invalid.
423c6623b6fSZbigniew Kurzynski
424c6623b6fSZbigniew Kurzynski* Certificates do not meet the requirements. See paragraphs
425c6623b6fSZbigniew Kurzynski[Verify certificates](#Verify-certificates).
426c6623b6fSZbigniew Kurzynski
427c6623b6fSZbigniew Kurzynski* Attempting to load the same certificate twice will end up with an error.
428*b685fd04SJohn Edward Broadbent
429*b685fd04SJohn Edward Broadbent* Not having phosphor-bmcweb-cert-config in the build.
430