1*c6623b6fSZbigniew Kurzynski# How to configure the server TLS certificates for authentication 2*c6623b6fSZbigniew KurzynskiAuthor: 3*c6623b6fSZbigniew Kurzynski Zbigniew Kurzynski <zbigniew.kurzynski@intel.com> 4*c6623b6fSZbigniew Kurzynski 5*c6623b6fSZbigniew KurzynskiCreated: 6*c6623b6fSZbigniew Kurzynski May 8, 2020 7*c6623b6fSZbigniew Kurzynski 8*c6623b6fSZbigniew KurzynskiRelated documents: 9*c6623b6fSZbigniew Kurzynski* [Redfish TLS User Authentication](https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md) 10*c6623b6fSZbigniew Kurzynski 11*c6623b6fSZbigniew Kurzynski## Introduction 12*c6623b6fSZbigniew KurzynskiWith help of this guidebook you should be able to create both client and 13*c6623b6fSZbigniew Kurzynskiserver certificates signed by a CA that can be used to authenticate user 14*c6623b6fSZbigniew Kurzynskirequests to an OpenBMC server. You will also learn how to enable and test 15*c6623b6fSZbigniew Kurzynskithe OpenBMC TLS authentication. 16*c6623b6fSZbigniew Kurzynski 17*c6623b6fSZbigniew Kurzynski## Certificates 18*c6623b6fSZbigniew KurzynskiFor a certificate to be marked as valid, it (and every certificate in the 19*c6623b6fSZbigniew Kurzynskichain) has to meet these conditions: 20*c6623b6fSZbigniew Kurzynski 21*c6623b6fSZbigniew Kurzynski* `KeyUsage` contains required purpose `digitalSignature` and `keyAgreement` 22*c6623b6fSZbigniew Kurzynski(see rfc 3280 4.2.1.3) 23*c6623b6fSZbigniew Kurzynski* `ExtendedKeyUsage` contains required purpose `clientAuth` for client 24*c6623b6fSZbigniew Kurzynskicertificate and `serverAuth` for server certificate (see rfc 3280 4.2.1.13) 25*c6623b6fSZbigniew Kurzynski* public key meets minimal bit length requirement 26*c6623b6fSZbigniew Kurzynski* certificate has to be in its validity period 27*c6623b6fSZbigniew Kurzynski* `notBefore` and `notAfter` fields have to contain valid time 28*c6623b6fSZbigniew Kurzynski* has to be properly signed by certificate authority 29*c6623b6fSZbigniew Kurzynski* certificate is well-formed according to X.509 30*c6623b6fSZbigniew Kurzynski* issuer name has to match CA's subject name for client certificate 31*c6623b6fSZbigniew Kurzynski* issuer name has to match the fully qualified domain name of your OpenBMC 32*c6623b6fSZbigniew Kurzynskihost 33*c6623b6fSZbigniew Kurzynski 34*c6623b6fSZbigniew KurzynskiIf you already have certificates you can skip to [Enable TLS authentication 35*c6623b6fSZbigniew Kurzynski](#Enable-TLS-authentication) or go to [Verify certificates](#Verify-certificates) 36*c6623b6fSZbigniew Kurzynskiand check if they meet the above requirements. 37*c6623b6fSZbigniew Kurzynski 38*c6623b6fSZbigniew Kurzynski### Prepare configuration files 39*c6623b6fSZbigniew Kurzynski 40*c6623b6fSZbigniew KurzynskiTo generate certificates with required parameters some modification must be 41*c6623b6fSZbigniew Kurzynskimade to the default openssl configuration file. 42*c6623b6fSZbigniew Kurzynski 43*c6623b6fSZbigniew KurzynskiFirst create a new folder named `ca` and create a configuration file using 44*c6623b6fSZbigniew Kurzynskithe default configuration as a template (we do not want to change the 45*c6623b6fSZbigniew Kurzynskioriginal one). The location of the configuration file may vary depending on 46*c6623b6fSZbigniew Kurzynskithe operating system. For Ubuntu it is usually `/usr/lib/ssl/openssl.cnf`, 47*c6623b6fSZbigniew Kurzynskibut can also can be at `/etc/ssl/openssl.cnf`. For Cygwin it might be 48*c6623b6fSZbigniew Kurzynski`/etc/defaults/etc/pki/tls/openssl.cnf` or `/etc/pki/tls/openssl.cnf`. 49*c6623b6fSZbigniew Kurzynski 50*c6623b6fSZbigniew Kurzynski``` 51*c6623b6fSZbigniew Kurzynskimkdir ~/ca 52*c6623b6fSZbigniew Kurzynskicd ~/ca 53*c6623b6fSZbigniew Kurzynskicp /usr/lib/ssl/openssl.cnf openssl-client.cnf 54*c6623b6fSZbigniew Kurzynski``` 55*c6623b6fSZbigniew Kurzynski 56*c6623b6fSZbigniew KurzynskiThen open the client `~/ca/openssl-client.cnf` file in your favorite editor, 57*c6623b6fSZbigniew Kurzynskifor example `vi`. 58*c6623b6fSZbigniew Kurzynski 59*c6623b6fSZbigniew Kurzynski``` 60*c6623b6fSZbigniew Kurzynskivi ~/ca/openssl-client.cnf 61*c6623b6fSZbigniew Kurzynski``` 62*c6623b6fSZbigniew Kurzynski 63*c6623b6fSZbigniew KurzynskiFind the sections listed below and add or choose the presented values. 64*c6623b6fSZbigniew Kurzynski 65*c6623b6fSZbigniew Kurzynski``` 66*c6623b6fSZbigniew Kurzynski[ req ] 67*c6623b6fSZbigniew Kurzynskireq_extensions = v3_req 68*c6623b6fSZbigniew Kurzynski 69*c6623b6fSZbigniew Kurzynski[ usr_cert ] 70*c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth 71*c6623b6fSZbigniew Kurzynski 72*c6623b6fSZbigniew Kurzynski[ v3_req ] 73*c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth 74*c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement 75*c6623b6fSZbigniew Kurzynski``` 76*c6623b6fSZbigniew Kurzynski 77*c6623b6fSZbigniew KurzynskiNow create a server configuration `openssl-server.cnf` by copying the client 78*c6623b6fSZbigniew Kurzynskifile 79*c6623b6fSZbigniew Kurzynski 80*c6623b6fSZbigniew Kurzynski``` 81*c6623b6fSZbigniew Kurzynskicp ~/ca/openssl-client.cnf openssl-server.cnf 82*c6623b6fSZbigniew Kurzynski``` 83*c6623b6fSZbigniew Kurzynski 84*c6623b6fSZbigniew Kurzynskiand changing values presented in the sections listed below. 85*c6623b6fSZbigniew Kurzynski 86*c6623b6fSZbigniew Kurzynski``` 87*c6623b6fSZbigniew Kurzynski[ usr_cert ] 88*c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth 89*c6623b6fSZbigniew Kurzynski 90*c6623b6fSZbigniew Kurzynski[ v3_req ] 91*c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth 92*c6623b6fSZbigniew Kurzynski``` 93*c6623b6fSZbigniew Kurzynski 94*c6623b6fSZbigniew KurzynskiCreate two additional configuration files `myext-client.cnf` and 95*c6623b6fSZbigniew Kurzynski`myext-server.cnf` for the client and server certificates respectively. 96*c6623b6fSZbigniew KurzynskiWithout these files no extensions are added to the certificate. 97*c6623b6fSZbigniew Kurzynski 98*c6623b6fSZbigniew Kurzynski``` 99*c6623b6fSZbigniew Kurzynskicat << END > myext-client.cnf 100*c6623b6fSZbigniew Kurzynski[ my_ext_section ] 101*c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement 102*c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth 103*c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid 104*c6623b6fSZbigniew KurzynskiEND 105*c6623b6fSZbigniew Kurzynski``` 106*c6623b6fSZbigniew Kurzynski``` 107*c6623b6fSZbigniew Kurzynskicat << END > myext-server.cnf 108*c6623b6fSZbigniew Kurzynski[ my_ext_section ] 109*c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement 110*c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth 111*c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid 112*c6623b6fSZbigniew KurzynskiEND 113*c6623b6fSZbigniew Kurzynski``` 114*c6623b6fSZbigniew Kurzynski 115*c6623b6fSZbigniew Kurzynski### Create a new CA certificate 116*c6623b6fSZbigniew KurzynskiFirst we need to create a private key to sign the CA certificate. 117*c6623b6fSZbigniew Kurzynski``` 118*c6623b6fSZbigniew Kurzynskiopenssl genrsa -out CA-key.pem 2048 119*c6623b6fSZbigniew Kurzynski``` 120*c6623b6fSZbigniew Kurzynski 121*c6623b6fSZbigniew KurzynskiNow we can create a CA certificate, using the previously generated key. 122*c6623b6fSZbigniew KurzynskiYou will be prompted for information which will be incorporated into the 123*c6623b6fSZbigniew Kurzynskicertificate, such as Country, City, Company Name, etc. 124*c6623b6fSZbigniew Kurzynski 125*c6623b6fSZbigniew Kurzynski``` 126*c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key CA-key.pem -x509 -days 1000 -out CA-cert.pem 127*c6623b6fSZbigniew Kurzynski``` 128*c6623b6fSZbigniew Kurzynski 129*c6623b6fSZbigniew Kurzynski### Create client certificate signed by given CA certificate 130*c6623b6fSZbigniew KurzynskiTo create a client certificate, a signing request must be created first. For 131*c6623b6fSZbigniew Kurzynskithis another private key will be needed. 132*c6623b6fSZbigniew Kurzynski 133*c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the certificate signing request: 134*c6623b6fSZbigniew Kurzynski``` 135*c6623b6fSZbigniew Kurzynskiopenssl genrsa -out client-key.pem 2048 136*c6623b6fSZbigniew Kurzynski``` 137*c6623b6fSZbigniew KurzynskiGenerate a certificate signing request. 138*c6623b6fSZbigniew Kurzynski 139*c6623b6fSZbigniew KurzynskiYou will be prompted for the same information as during CA generation, but 140*c6623b6fSZbigniew Kurzynskiprovide **the OpenBMC system user name** for the `CommonName` attribute of 141*c6623b6fSZbigniew Kurzynskithis certificate. In this example, use **root**. 142*c6623b6fSZbigniew Kurzynski 143*c6623b6fSZbigniew Kurzynski``` 144*c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key client-key.pem -out signingReqClient.csr 145*c6623b6fSZbigniew Kurzynski``` 146*c6623b6fSZbigniew Kurzynski 147*c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following 148*c6623b6fSZbigniew Kurzynskicommand: 149*c6623b6fSZbigniew Kurzynski``` 150*c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-client.cnf -days 365 -in signingReqClient.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out client-cert.pem 151*c6623b6fSZbigniew Kurzynski``` 152*c6623b6fSZbigniew KurzynskiThe file `client-cert.pem` now contains a signed client certificate. 153*c6623b6fSZbigniew Kurzynski 154*c6623b6fSZbigniew Kurzynski### Create server certificate signed by given CA certificate 155*c6623b6fSZbigniew KurzynskiFor convenience we will use the same CA generated in paragraph [Create a new 156*c6623b6fSZbigniew KurzynskiCA certificate](#Create-a-new-CA-certificate), although a different one could 157*c6623b6fSZbigniew Kurzynskibe used. 158*c6623b6fSZbigniew Kurzynski 159*c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the server certificate signing 160*c6623b6fSZbigniew Kurzynskirequest: 161*c6623b6fSZbigniew Kurzynski``` 162*c6623b6fSZbigniew Kurzynskiopenssl genrsa -out server-key.pem 2048 163*c6623b6fSZbigniew Kurzynski``` 164*c6623b6fSZbigniew KurzynskiGenerate a certificate signing request. You will be prompted for the same 165*c6623b6fSZbigniew Kurzynskiinformation as during CA generation, but provide **the fully qualified 166*c6623b6fSZbigniew Kurzynskidomain name of your OpenBMC server** for the `CommonName` attribute of this 167*c6623b6fSZbigniew Kurzynskicertificate. In this example it will be `bmc.example.com`. A wildcard can 168*c6623b6fSZbigniew Kurzynskibe used to protect multiple host, for example a certificate configured for 169*c6623b6fSZbigniew Kurzynski`*.example.com` will secure www.example.com, as well as mail.example.com, 170*c6623b6fSZbigniew Kurzynskiblog.example.com, and others. 171*c6623b6fSZbigniew Kurzynski 172*c6623b6fSZbigniew Kurzynski``` 173*c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-server.cnf -key server-key.pem -out signingReqServer.csr 174*c6623b6fSZbigniew Kurzynski``` 175*c6623b6fSZbigniew Kurzynski 176*c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following 177*c6623b6fSZbigniew Kurzynskicommand: 178*c6623b6fSZbigniew Kurzynski``` 179*c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-server.cnf -days 365 -in signingReqServer.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem 180*c6623b6fSZbigniew Kurzynski``` 181*c6623b6fSZbigniew KurzynskiThe file `server-cert.pem` now contains a signed client certificate. 182*c6623b6fSZbigniew Kurzynski 183*c6623b6fSZbigniew Kurzynski### Verify certificates 184*c6623b6fSZbigniew KurzynskiTo verify the signing request and both certificates you can use following 185*c6623b6fSZbigniew Kurzynskicommands. 186*c6623b6fSZbigniew Kurzynski 187*c6623b6fSZbigniew Kurzynski``` 188*c6623b6fSZbigniew Kurzynskiopenssl x509 -in CA-cert.pem -text -noout 189*c6623b6fSZbigniew Kurzynskiopenssl x509 -in client-cert.pem -text -noout 190*c6623b6fSZbigniew Kurzynskiopenssl x509 -in server-cert.pem -text -noout 191*c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqClient.csr -noout -text 192*c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqServer.csr -noout -text 193*c6623b6fSZbigniew Kurzynski``` 194*c6623b6fSZbigniew Kurzynski 195*c6623b6fSZbigniew KurzynskiBelow are example listings that you can compare with your results. Pay special 196*c6623b6fSZbigniew Kurzynskiattention to attributes like: 197*c6623b6fSZbigniew Kurzynski * Validity in both certificates, 198*c6623b6fSZbigniew Kurzynski * `Issuer` in `client-cert.pem`, it must match to `Subject` in `CA-cert.pem`, 199*c6623b6fSZbigniew Kurzynski * Section *X509v3 extensions* in `client-cert.pem` it should contain proper 200*c6623b6fSZbigniew Kurzynskivalues, 201*c6623b6fSZbigniew Kurzynski * `Public-Key` length, it cannot be less than 2048 bits. 202*c6623b6fSZbigniew Kurzynski * `Subject` CN in `client-cert.pem`, it should match existing OpemBMC user 203*c6623b6fSZbigniew Kurzynskiname. 204*c6623b6fSZbigniew KurzynskiIn this example it is **root**. 205*c6623b6fSZbigniew Kurzynski * `Subject` CN in `server-cert.pem`, it should match OpemBMC host name. 206*c6623b6fSZbigniew KurzynskiIn this example it is **bmc.example.com **. (see rfc 3280 207*c6623b6fSZbigniew Kurzynski4.2.1.11 for name constraints) 208*c6623b6fSZbigniew Kurzynski 209*c6623b6fSZbigniew KurzynskiBelow are fragments of generated certificates that you can compare with. 210*c6623b6fSZbigniew Kurzynski``` 211*c6623b6fSZbigniew KurzynskiCA-cert.pem 212*c6623b6fSZbigniew Kurzynski Data: 213*c6623b6fSZbigniew Kurzynski Version: 3 (0x2) 214*c6623b6fSZbigniew Kurzynski Serial Number: 16242916899984461675 (0xe16a6edca3c34f6b) 215*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 216*c6623b6fSZbigniew Kurzynski Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA 217*c6623b6fSZbigniew Kurzynski Validity 218*c6623b6fSZbigniew Kurzynski Not Before: May 11 11:40:48 2020 GMT 219*c6623b6fSZbigniew Kurzynski Not After : Feb 5 11:40:48 2023 GMT 220*c6623b6fSZbigniew Kurzynski Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA 221*c6623b6fSZbigniew Kurzynski Subject Public Key Info: 222*c6623b6fSZbigniew Kurzynski Public Key Algorithm: rsaEncryption 223*c6623b6fSZbigniew Kurzynski Public-Key: (2048 bit) 224*c6623b6fSZbigniew Kurzynski Modulus: 225*c6623b6fSZbigniew Kurzynski 00:d4:24:c1:1d:ac:85:8c:5b:42:e4:f8:a8:d8:7c: 226*c6623b6fSZbigniew Kurzynski ... 227*c6623b6fSZbigniew Kurzynski 55:83:8b:aa:ac:ac:6e:e3:01:2b:ce:f7:ee:87:21: 228*c6623b6fSZbigniew Kurzynski f9:2b 229*c6623b6fSZbigniew Kurzynski Exponent: 65537 (0x10001) 230*c6623b6fSZbigniew Kurzynski X509v3 extensions: 231*c6623b6fSZbigniew Kurzynski X509v3 Subject Key Identifier: 232*c6623b6fSZbigniew Kurzynski ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE 233*c6623b6fSZbigniew Kurzynski X509v3 Authority Key Identifier: 234*c6623b6fSZbigniew Kurzynski keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE 235*c6623b6fSZbigniew Kurzynski 236*c6623b6fSZbigniew Kurzynski X509v3 Basic Constraints: 237*c6623b6fSZbigniew Kurzynski CA:TRUE 238*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 239*c6623b6fSZbigniew Kurzynski cc:8b:61:6a:55:60:2b:26:55:9f:a6:0c:42:b0:47:d4:ec:e0: 240*c6623b6fSZbigniew Kurzynski ... 241*c6623b6fSZbigniew Kurzynski 45:47:91:62:10:bd:3e:a8:da:98:33:65:cc:11:23:95:06:1b: 242*c6623b6fSZbigniew Kurzynski ee:d3:78:84 243*c6623b6fSZbigniew Kurzynski``` 244*c6623b6fSZbigniew Kurzynski``` 245*c6623b6fSZbigniew Kurzynskiclient-cert.pem 246*c6623b6fSZbigniew Kurzynski Data: 247*c6623b6fSZbigniew Kurzynski Version: 3 (0x2) 248*c6623b6fSZbigniew Kurzynski Serial Number: 10150871893861973895 (0x8cdf2434b223bf87) 249*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 250*c6623b6fSZbigniew Kurzynski Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA 251*c6623b6fSZbigniew Kurzynski Validity 252*c6623b6fSZbigniew Kurzynski Not Before: May 11 11:42:58 2020 GMT 253*c6623b6fSZbigniew Kurzynski Not After : May 11 11:42:58 2021 GMT 254*c6623b6fSZbigniew Kurzynski Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=root 255*c6623b6fSZbigniew Kurzynski Subject Public Key Info: 256*c6623b6fSZbigniew Kurzynski Public Key Algorithm: rsaEncryption 257*c6623b6fSZbigniew Kurzynski Public-Key: (2048 bit) 258*c6623b6fSZbigniew Kurzynski Modulus: 259*c6623b6fSZbigniew Kurzynski 00:cf:d6:d0:a2:09:62:df:e9:a9:b1:e1:3d:7f:2f: 260*c6623b6fSZbigniew Kurzynski ... 261*c6623b6fSZbigniew Kurzynski 30:7b:48:dc:c5:2c:3f:a9:c0:d1:b6:04:d4:1a:c8: 262*c6623b6fSZbigniew Kurzynski 8a:51 263*c6623b6fSZbigniew Kurzynski Exponent: 65537 (0x10001) 264*c6623b6fSZbigniew Kurzynski X509v3 extensions: 265*c6623b6fSZbigniew Kurzynski X509v3 Key Usage: 266*c6623b6fSZbigniew Kurzynski Digital Signature, Key Agreement 267*c6623b6fSZbigniew Kurzynski X509v3 Extended Key Usage: 268*c6623b6fSZbigniew Kurzynski TLS Web Client Authentication 269*c6623b6fSZbigniew Kurzynski X509v3 Authority Key Identifier: 270*c6623b6fSZbigniew Kurzynski keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE 271*c6623b6fSZbigniew Kurzynski 272*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 273*c6623b6fSZbigniew Kurzynski 7f:a4:57:f5:97:48:2a:c4:8e:d3:ef:d8:a1:c9:65:1b:20:fd: 274*c6623b6fSZbigniew Kurzynski ... 275*c6623b6fSZbigniew Kurzynski 25:cb:5e:0a:37:fb:a1:ab:b0:c4:62:fe:51:d3:1c:1b:fb:11: 276*c6623b6fSZbigniew Kurzynski 56:57:4c:6a 277*c6623b6fSZbigniew Kurzynski``` 278*c6623b6fSZbigniew Kurzynski``` 279*c6623b6fSZbigniew Kurzynskiserver-cert.pem 280*c6623b6fSZbigniew Kurzynski Data: 281*c6623b6fSZbigniew Kurzynski Version: 3 (0x2) 282*c6623b6fSZbigniew Kurzynski Serial Number: 10622848005881387807 (0x936beffaa586db1f) 283*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 284*c6623b6fSZbigniew Kurzynski Issuer: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com 285*c6623b6fSZbigniew Kurzynski Validity 286*c6623b6fSZbigniew Kurzynski Not Before: May 22 13:46:02 2020 GMT 287*c6623b6fSZbigniew Kurzynski Not After : May 22 13:46:02 2021 GMT 288*c6623b6fSZbigniew Kurzynski Subject: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com 289*c6623b6fSZbigniew Kurzynski Subject Public Key Info: 290*c6623b6fSZbigniew Kurzynski Public Key Algorithm: rsaEncryption 291*c6623b6fSZbigniew Kurzynski Public-Key: (2048 bit) 292*c6623b6fSZbigniew Kurzynski Modulus: 293*c6623b6fSZbigniew Kurzynski 00:d9:34:9c:da:83:c6:eb:af:8f:e8:11:56:2a:59: 294*c6623b6fSZbigniew Kurzynski ... 295*c6623b6fSZbigniew Kurzynski 92:60:09:fc:f9:66:82:d0:27:03:44:2f:9d:6d:c0: 296*c6623b6fSZbigniew Kurzynski a5:6d 297*c6623b6fSZbigniew Kurzynski Exponent: 65537 (0x10001) 298*c6623b6fSZbigniew Kurzynski X509v3 extensions: 299*c6623b6fSZbigniew Kurzynski X509v3 Key Usage: 300*c6623b6fSZbigniew Kurzynski Digital Signature, Key Agreement 301*c6623b6fSZbigniew Kurzynski X509v3 Extended Key Usage: 302*c6623b6fSZbigniew Kurzynski TLS Web Server Authentication 303*c6623b6fSZbigniew Kurzynski X509v3 Authority Key Identifier: 304*c6623b6fSZbigniew Kurzynski keyid:5B:1D:0E:76:CC:54:B8:BF:AE:46:10:43:6F:79:0B:CA:14:5C:E0:90 305*c6623b6fSZbigniew Kurzynski 306*c6623b6fSZbigniew Kurzynski Signature Algorithm: sha256WithRSAEncryption 307*c6623b6fSZbigniew Kurzynski bf:41:e2:2f:87:44:25:d8:54:9c:4e:dc:cc:b3:f9:af:5a:a3: 308*c6623b6fSZbigniew Kurzynski ... 309*c6623b6fSZbigniew Kurzynski ef:0f:90:a6 310*c6623b6fSZbigniew Kurzynski 311*c6623b6fSZbigniew Kurzynski``` 312*c6623b6fSZbigniew Kurzynski 313*c6623b6fSZbigniew Kurzynski## Installing CA certificate on OpenBMC 314*c6623b6fSZbigniew Kurzynski 315*c6623b6fSZbigniew KurzynskiThe CA certificate can be installed via Redfish Service. The file `CA-cert.pem` 316*c6623b6fSZbigniew Kurzynskican not be uploaded directly but must be sent embedded in a valid JSON 317*c6623b6fSZbigniew Kurzynskistring, which requires `\`, `"`, and control characters must be escaped. 318*c6623b6fSZbigniew KurzynskiThis means all content is placed in a single string on a single line by 319*c6623b6fSZbigniew Kurzynskiencoding the line endings as `\n`. The command below prepares a whole POST 320*c6623b6fSZbigniew Kurzynskibody and puts it into a file named: `install_ca.json`. 321*c6623b6fSZbigniew Kurzynski 322*c6623b6fSZbigniew Kurzynski``` 323*c6623b6fSZbigniew Kurzynskicat << END > install_ca.json 324*c6623b6fSZbigniew Kurzynski{ 325*c6623b6fSZbigniew Kurzynski "CertificateString":"$(cat CA-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')", 326*c6623b6fSZbigniew Kurzynski "CertificateType": "PEM" 327*c6623b6fSZbigniew Kurzynski} 328*c6623b6fSZbigniew KurzynskiEND 329*c6623b6fSZbigniew Kurzynski``` 330*c6623b6fSZbigniew Kurzynski 331*c6623b6fSZbigniew KurzynskiTo install the CA certificate on the OpenBMC server post the content of 332*c6623b6fSZbigniew Kurzynski`install_ca.json` with this command: 333*c6623b6fSZbigniew Kurzynski 334*c6623b6fSZbigniew KurzynskiWhere `${bmc}` should be `bmc.example.com`. It is convenient to export it 335*c6623b6fSZbigniew Kurzynskias an environment variable. 336*c6623b6fSZbigniew Kurzynski 337*c6623b6fSZbigniew Kurzynski``` 338*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @install_ca.json -k -X POST https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates 339*c6623b6fSZbigniew Kurzynski 340*c6623b6fSZbigniew Kurzynski``` 341*c6623b6fSZbigniew Kurzynski 342*c6623b6fSZbigniew KurzynskiCredentials `root:0penBmc` can be replaced with any system user name and 343*c6623b6fSZbigniew Kurzynskipassword of your choice but with proper access rights to resources used here. 344*c6623b6fSZbigniew Kurzynski 345*c6623b6fSZbigniew Kurzynski 346*c6623b6fSZbigniew KurzynskiAfter successful certificate installation you should get positive HTTP 347*c6623b6fSZbigniew Kurzynskiresponse and a new certificate should be available under this resource 348*c6623b6fSZbigniew Kurzynskicollection. 349*c6623b6fSZbigniew Kurzynski``` 350*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates 351*c6623b6fSZbigniew Kurzynski 352*c6623b6fSZbigniew Kurzynski``` 353*c6623b6fSZbigniew Kurzynski 354*c6623b6fSZbigniew KurzynskiAn auto-generated self-signed server certificate is already present on 355*c6623b6fSZbigniew KurzynskiOpenBMC by default. To use the certificate signed by our CA it must be 356*c6623b6fSZbigniew Kurzynskireplaced. Additionally we must upload to OpenBMC the private key that was 357*c6623b6fSZbigniew Kurzynskiused to sign the server certificate. A proper message mody can be prepared 358*c6623b6fSZbigniew Kurzynskithe with this command: 359*c6623b6fSZbigniew Kurzynski 360*c6623b6fSZbigniew Kurzynski``` 361*c6623b6fSZbigniew Kurzynskicat << END > replace_cert.json 362*c6623b6fSZbigniew Kurzynski{ 363*c6623b6fSZbigniew Kurzynski "CertificateString":"$(cat server-key.pem server-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')", 364*c6623b6fSZbigniew Kurzynski "CertificateUri": 365*c6623b6fSZbigniew Kurzynski { 366*c6623b6fSZbigniew Kurzynski "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 367*c6623b6fSZbigniew Kurzynski }, 368*c6623b6fSZbigniew Kurzynski "CertificateType": "PEM" 369*c6623b6fSZbigniew Kurzynski} 370*c6623b6fSZbigniew KurzynskiEND 371*c6623b6fSZbigniew Kurzynski``` 372*c6623b6fSZbigniew Kurzynski 373*c6623b6fSZbigniew KurzynskiTo replace the server certificate on the OpenBMC server post the content of 374*c6623b6fSZbigniew Kurzynski`replace_cert.json` with this command: 375*c6623b6fSZbigniew Kurzynski 376*c6623b6fSZbigniew Kurzynski``` 377*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @replace_cert.json -k -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ 378*c6623b6fSZbigniew Kurzynski 379*c6623b6fSZbigniew Kurzynski``` 380*c6623b6fSZbigniew Kurzynski 381*c6623b6fSZbigniew Kurzynski## Enable TLS authentication 382*c6623b6fSZbigniew Kurzynski 383*c6623b6fSZbigniew KurzynskiTo check current state of the TLS authentication method use this command: 384*c6623b6fSZbigniew Kurzynski 385*c6623b6fSZbigniew Kurzynski``` 386*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/AccountService 387*c6623b6fSZbigniew Kurzynski``` 388*c6623b6fSZbigniew Kurzynskiand verify that the attribute `Oem->OpenBMC->AuthMethods->TLS` is set to true. 389*c6623b6fSZbigniew Kurzynski 390*c6623b6fSZbigniew KurzynskiTo enable TLS authentication use this command: 391*c6623b6fSZbigniew Kurzynski 392*c6623b6fSZbigniew Kurzynski``` 393*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": true} } } }' https://${bmc}/redfish/v1/AccountService 394*c6623b6fSZbigniew Kurzynski``` 395*c6623b6fSZbigniew Kurzynski 396*c6623b6fSZbigniew KurzynskiTo disable TLS authentication use this command: 397*c6623b6fSZbigniew Kurzynski 398*c6623b6fSZbigniew Kurzynski``` 399*c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": false} } } }' https://${bmc}/redfish/v1/AccountService 400*c6623b6fSZbigniew Kurzynski``` 401*c6623b6fSZbigniew Kurzynski 402*c6623b6fSZbigniew KurzynskiOther authentication methods like basic authentication can be enabled or 403*c6623b6fSZbigniew Kurzynskidisabled as well using the same mechanism. All supported authentication 404*c6623b6fSZbigniew Kurzynskimethods are available under attribute `Oem->OpenBMC->AuthMethods` of the 405*c6623b6fSZbigniew Kurzynski`/redfish/v1/AccountService` resource. 406*c6623b6fSZbigniew Kurzynski 407*c6623b6fSZbigniew Kurzynski## Using TLS to access OpenBMC resources 408*c6623b6fSZbigniew Kurzynski 409*c6623b6fSZbigniew KurzynskiIf TLS is enabled, valid CA certificate was uploaded and the server 410*c6623b6fSZbigniew Kurzynskicertificate was replaced it should be possible to execute curl requests 411*c6623b6fSZbigniew Kurzynskiusing only client certificate, key, and CA like below. 412*c6623b6fSZbigniew Kurzynski 413*c6623b6fSZbigniew Kurzynski``` 414*c6623b6fSZbigniew Kurzynskicurl --cert client-cert.pem --key client-key.pem -vvv --cacert CA-cert.pem https://${bmc}/redfish/v1/SessionService/Sessions 415*c6623b6fSZbigniew Kurzynski``` 416*c6623b6fSZbigniew Kurzynski## Common mistakes during TLS configuration 417*c6623b6fSZbigniew Kurzynski 418*c6623b6fSZbigniew Kurzynski* Invalid date and time on OpenBMC, 419*c6623b6fSZbigniew Kurzynski 420*c6623b6fSZbigniew Kurzynski* Testing Redfish resources, like `https://${bmc}/redfish/v1` which are 421*c6623b6fSZbigniew Kurzynskialways available without any authentication will always result with success, 422*c6623b6fSZbigniew Kurzynskieven when TLS is disabled or certificates are invalid. 423*c6623b6fSZbigniew Kurzynski 424*c6623b6fSZbigniew Kurzynski* Certificates do not meet the requirements. See paragraphs 425*c6623b6fSZbigniew Kurzynski[Verify certificates](#Verify-certificates). 426*c6623b6fSZbigniew Kurzynski 427*c6623b6fSZbigniew Kurzynski* Attempting to load the same certificate twice will end up with an error. 428