xref: /openbmc/docs/security/TLS-configuration.md (revision f4febd002df578bad816239b70950f84ea4567e8) 
1c6623b6fSZbigniew Kurzynski# How to configure the server TLS certificates for authentication
2c6623b6fSZbigniew Kurzynski
3*f4febd00SPatrick WilliamsAuthor: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
4*f4febd00SPatrick Williams
5*f4febd00SPatrick WilliamsCreated: May 8, 2020
6c6623b6fSZbigniew Kurzynski
7c6623b6fSZbigniew KurzynskiRelated documents:
8*f4febd00SPatrick Williams
9*f4febd00SPatrick Williams- [Redfish TLS User Authentication](https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md)
10c6623b6fSZbigniew Kurzynski
11c6623b6fSZbigniew Kurzynski## Introduction
12*f4febd00SPatrick Williams
13*f4febd00SPatrick WilliamsWith help of this guidebook you should be able to create both client and server
14*f4febd00SPatrick Williamscertificates signed by a CA that can be used to authenticate user requests to an
15*f4febd00SPatrick WilliamsOpenBMC server. You will also learn how to enable and test the OpenBMC TLS
16*f4febd00SPatrick Williamsauthentication.
17c6623b6fSZbigniew Kurzynski
18c6623b6fSZbigniew Kurzynski## Certificates
19c6623b6fSZbigniew Kurzynski
20*f4febd00SPatrick WilliamsFor a certificate to be marked as valid, it (and every certificate in the chain)
21*f4febd00SPatrick Williamshas to meet these conditions:
22*f4febd00SPatrick Williams
23*f4febd00SPatrick Williams- `KeyUsage` contains required purpose `digitalSignature` and `keyAgreement`
24c6623b6fSZbigniew Kurzynski  (see rfc 3280 4.2.1.3)
25*f4febd00SPatrick Williams- `ExtendedKeyUsage` contains required purpose `clientAuth` for client
26c6623b6fSZbigniew Kurzynski  certificate and `serverAuth` for server certificate (see rfc 3280 4.2.1.13)
27*f4febd00SPatrick Williams- public key meets minimal bit length requirement
28*f4febd00SPatrick Williams- certificate has to be in its validity period
29*f4febd00SPatrick Williams- `notBefore` and `notAfter` fields have to contain valid time
30*f4febd00SPatrick Williams- has to be properly signed by certificate authority
31*f4febd00SPatrick Williams- certificate is well-formed according to X.509
32*f4febd00SPatrick Williams- issuer name has to match CA's subject name for client certificate
33*f4febd00SPatrick Williams- issuer name has to match the fully qualified domain name of your OpenBMC host
34c6623b6fSZbigniew Kurzynski
35*f4febd00SPatrick WilliamsIf you already have certificates you can skip to
36*f4febd00SPatrick Williams[Enable TLS authentication ](#Enable-TLS-authentication) or go to
37*f4febd00SPatrick Williams[Verify certificates](#Verify-certificates) and check if they meet the above
38*f4febd00SPatrick Williamsrequirements.
39c6623b6fSZbigniew Kurzynski
40c6623b6fSZbigniew Kurzynski### Prepare configuration files
41c6623b6fSZbigniew Kurzynski
42*f4febd00SPatrick WilliamsTo generate certificates with required parameters some modification must be made
43*f4febd00SPatrick Williamsto the default openssl configuration file.
44c6623b6fSZbigniew Kurzynski
45*f4febd00SPatrick WilliamsFirst create a new folder named `ca` and create a configuration file using the
46*f4febd00SPatrick Williamsdefault configuration as a template (we do not want to change the original one).
47*f4febd00SPatrick WilliamsThe location of the configuration file may vary depending on the operating
48*f4febd00SPatrick Williamssystem. For Ubuntu it is usually `/usr/lib/ssl/openssl.cnf`, but can also can be
49*f4febd00SPatrick Williamsat `/etc/ssl/openssl.cnf`. For Cygwin it might be
50c6623b6fSZbigniew Kurzynski`/etc/defaults/etc/pki/tls/openssl.cnf` or `/etc/pki/tls/openssl.cnf`.
51c6623b6fSZbigniew Kurzynski
52c6623b6fSZbigniew Kurzynski```
53c6623b6fSZbigniew Kurzynskimkdir ~/ca
54c6623b6fSZbigniew Kurzynskicd ~/ca
55c6623b6fSZbigniew Kurzynskicp /usr/lib/ssl/openssl.cnf openssl-client.cnf
56c6623b6fSZbigniew Kurzynski```
57c6623b6fSZbigniew Kurzynski
58*f4febd00SPatrick WilliamsThen open the client `~/ca/openssl-client.cnf` file in your favorite editor, for
59*f4febd00SPatrick Williamsexample `vi`.
60c6623b6fSZbigniew Kurzynski
61c6623b6fSZbigniew Kurzynski```
62c6623b6fSZbigniew Kurzynskivi ~/ca/openssl-client.cnf
63c6623b6fSZbigniew Kurzynski```
64c6623b6fSZbigniew Kurzynski
65c6623b6fSZbigniew KurzynskiFind the sections listed below and add or choose the presented values.
66c6623b6fSZbigniew Kurzynski
67c6623b6fSZbigniew Kurzynski```
68c6623b6fSZbigniew Kurzynski[ req ]
69c6623b6fSZbigniew Kurzynskireq_extensions = v3_req
70c6623b6fSZbigniew Kurzynski
71c6623b6fSZbigniew Kurzynski[ usr_cert ]
72c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
73c6623b6fSZbigniew Kurzynski
74c6623b6fSZbigniew Kurzynski[ v3_req ]
75c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
76c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
77c6623b6fSZbigniew Kurzynski```
78c6623b6fSZbigniew Kurzynski
79c6623b6fSZbigniew KurzynskiNow create a server configuration `openssl-server.cnf` by copying the client
80c6623b6fSZbigniew Kurzynskifile
81c6623b6fSZbigniew Kurzynski
82c6623b6fSZbigniew Kurzynski```
83c6623b6fSZbigniew Kurzynskicp ~/ca/openssl-client.cnf openssl-server.cnf
84c6623b6fSZbigniew Kurzynski```
85c6623b6fSZbigniew Kurzynski
86c6623b6fSZbigniew Kurzynskiand changing values presented in the sections listed below.
87c6623b6fSZbigniew Kurzynski
88c6623b6fSZbigniew Kurzynski```
89c6623b6fSZbigniew Kurzynski[ usr_cert ]
90c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
91c6623b6fSZbigniew Kurzynski
92c6623b6fSZbigniew Kurzynski[ v3_req ]
93c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
94c6623b6fSZbigniew Kurzynski```
95c6623b6fSZbigniew Kurzynski
96c6623b6fSZbigniew KurzynskiCreate two additional configuration files `myext-client.cnf` and
97*f4febd00SPatrick Williams`myext-server.cnf` for the client and server certificates respectively. Without
98*f4febd00SPatrick Williamsthese files no extensions are added to the certificate.
99c6623b6fSZbigniew Kurzynski
100c6623b6fSZbigniew Kurzynski```
101c6623b6fSZbigniew Kurzynskicat << END > myext-client.cnf
102c6623b6fSZbigniew Kurzynski[ my_ext_section ]
103c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
104c6623b6fSZbigniew KurzynskiextendedKeyUsage = clientAuth
105c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
106c6623b6fSZbigniew KurzynskiEND
107c6623b6fSZbigniew Kurzynski```
108*f4febd00SPatrick Williams
109c6623b6fSZbigniew Kurzynski```
110c6623b6fSZbigniew Kurzynskicat << END > myext-server.cnf
111c6623b6fSZbigniew Kurzynski[ my_ext_section ]
112c6623b6fSZbigniew KurzynskikeyUsage = digitalSignature, keyAgreement
113c6623b6fSZbigniew KurzynskiextendedKeyUsage = serverAuth
114c6623b6fSZbigniew KurzynskiauthorityKeyIdentifier = keyid
115c6623b6fSZbigniew KurzynskiEND
116c6623b6fSZbigniew Kurzynski```
117c6623b6fSZbigniew Kurzynski
118c6623b6fSZbigniew Kurzynski### Create a new CA certificate
119*f4febd00SPatrick Williams
120c6623b6fSZbigniew KurzynskiFirst we need to create a private key to sign the CA certificate.
121*f4febd00SPatrick Williams
122c6623b6fSZbigniew Kurzynski```
123c6623b6fSZbigniew Kurzynskiopenssl genrsa -out CA-key.pem 2048
124c6623b6fSZbigniew Kurzynski```
125c6623b6fSZbigniew Kurzynski
126*f4febd00SPatrick WilliamsNow we can create a CA certificate, using the previously generated key. You will
127*f4febd00SPatrick Williamsbe prompted for information which will be incorporated into the certificate,
128*f4febd00SPatrick Williamssuch as Country, City, Company Name, etc.
129c6623b6fSZbigniew Kurzynski
130c6623b6fSZbigniew Kurzynski```
131c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
132c6623b6fSZbigniew Kurzynski```
133c6623b6fSZbigniew Kurzynski
134c6623b6fSZbigniew Kurzynski### Create client certificate signed by given CA certificate
135*f4febd00SPatrick Williams
136c6623b6fSZbigniew KurzynskiTo create a client certificate, a signing request must be created first. For
137c6623b6fSZbigniew Kurzynskithis another private key will be needed.
138c6623b6fSZbigniew Kurzynski
139c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the certificate signing request:
140*f4febd00SPatrick Williams
141c6623b6fSZbigniew Kurzynski```
142c6623b6fSZbigniew Kurzynskiopenssl genrsa -out client-key.pem 2048
143c6623b6fSZbigniew Kurzynski```
144*f4febd00SPatrick Williams
145c6623b6fSZbigniew KurzynskiGenerate a certificate signing request.
146c6623b6fSZbigniew Kurzynski
147c6623b6fSZbigniew KurzynskiYou will be prompted for the same information as during CA generation, but
148*f4febd00SPatrick Williamsprovide **the OpenBMC system user name** for the `CommonName` attribute of this
149*f4febd00SPatrick Williamscertificate. In this example, use **root**.
150c6623b6fSZbigniew Kurzynski
151c6623b6fSZbigniew Kurzynski```
152c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-client.cnf -key client-key.pem -out signingReqClient.csr
153c6623b6fSZbigniew Kurzynski```
154c6623b6fSZbigniew Kurzynski
155c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
156c6623b6fSZbigniew Kurzynskicommand:
157*f4febd00SPatrick Williams
158c6623b6fSZbigniew Kurzynski```
159c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-client.cnf -days 365 -in signingReqClient.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out client-cert.pem
160c6623b6fSZbigniew Kurzynski```
161*f4febd00SPatrick Williams
162c6623b6fSZbigniew KurzynskiThe file `client-cert.pem` now contains a signed client certificate.
163c6623b6fSZbigniew Kurzynski
164c6623b6fSZbigniew Kurzynski### Create server certificate signed by given CA certificate
165*f4febd00SPatrick Williams
166*f4febd00SPatrick WilliamsFor convenience we will use the same CA generated in paragraph
167*f4febd00SPatrick Williams[Create a new CA certificate](#Create-a-new-CA-certificate), although a
168*f4febd00SPatrick Williamsdifferent one could be used.
169c6623b6fSZbigniew Kurzynski
170c6623b6fSZbigniew KurzynskiGenerate a new key that will be used to sign the server certificate signing
171c6623b6fSZbigniew Kurzynskirequest:
172*f4febd00SPatrick Williams
173c6623b6fSZbigniew Kurzynski```
174c6623b6fSZbigniew Kurzynskiopenssl genrsa -out server-key.pem 2048
175c6623b6fSZbigniew Kurzynski```
176*f4febd00SPatrick Williams
177c6623b6fSZbigniew KurzynskiGenerate a certificate signing request. You will be prompted for the same
178*f4febd00SPatrick Williamsinformation as during CA generation, but provide **the fully qualified domain
179*f4febd00SPatrick Williamsname of your OpenBMC server** for the `CommonName` attribute of this
180*f4febd00SPatrick Williamscertificate. In this example it will be `bmc.example.com`. A wildcard can be
181*f4febd00SPatrick Williamsused to protect multiple host, for example a certificate configured for
182c6623b6fSZbigniew Kurzynski`*.example.com` will secure www.example.com, as well as mail.example.com,
183c6623b6fSZbigniew Kurzynskiblog.example.com, and others.
184c6623b6fSZbigniew Kurzynski
185c6623b6fSZbigniew Kurzynski```
186c6623b6fSZbigniew Kurzynskiopenssl req -new -config openssl-server.cnf -key server-key.pem -out signingReqServer.csr
187c6623b6fSZbigniew Kurzynski```
188c6623b6fSZbigniew Kurzynski
189c6623b6fSZbigniew KurzynskiSign the certificate using your `CA-cert.pem` certificate with following
190c6623b6fSZbigniew Kurzynskicommand:
191*f4febd00SPatrick Williams
192c6623b6fSZbigniew Kurzynski```
193c6623b6fSZbigniew Kurzynskiopenssl x509 -req -extensions my_ext_section -extfile myext-server.cnf -days 365 -in signingReqServer.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out server-cert.pem
194c6623b6fSZbigniew Kurzynski```
195*f4febd00SPatrick Williams
19694687a16SPatrick WilliamsThe file `server-cert.pem` now contains a signed server certificate.
197c6623b6fSZbigniew Kurzynski
198c6623b6fSZbigniew Kurzynski### Verify certificates
199*f4febd00SPatrick Williams
200c6623b6fSZbigniew KurzynskiTo verify the signing request and both certificates you can use following
201c6623b6fSZbigniew Kurzynskicommands.
202c6623b6fSZbigniew Kurzynski
203c6623b6fSZbigniew Kurzynski```
204c6623b6fSZbigniew Kurzynskiopenssl x509 -in CA-cert.pem -text -noout
205c6623b6fSZbigniew Kurzynskiopenssl x509 -in client-cert.pem -text -noout
206c6623b6fSZbigniew Kurzynskiopenssl x509 -in server-cert.pem -text -noout
207c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqClient.csr -noout -text
208c6623b6fSZbigniew Kurzynskiopenssl req -in signingReqServer.csr -noout -text
209c6623b6fSZbigniew Kurzynski```
210c6623b6fSZbigniew Kurzynski
211c6623b6fSZbigniew KurzynskiBelow are example listings that you can compare with your results. Pay special
212c6623b6fSZbigniew Kurzynskiattention to attributes like:
213*f4febd00SPatrick Williams
214*f4febd00SPatrick Williams- Validity in both certificates,
215*f4febd00SPatrick Williams- `Issuer` in `client-cert.pem`, it must match to `Subject` in `CA-cert.pem`,
216*f4febd00SPatrick Williams- Section _X509v3 extensions_ in `client-cert.pem` it should contain proper
217c6623b6fSZbigniew Kurzynski  values,
218*f4febd00SPatrick Williams- `Public-Key` length, it cannot be less than 2048 bits.
219*f4febd00SPatrick Williams- `Subject` CN in `client-cert.pem`, it should match existing OpemBMC user name.
220c6623b6fSZbigniew Kurzynski  In this example it is **root**.
221*f4febd00SPatrick Williams- `Subject` CN in `server-cert.pem`, it should match OpemBMC host name. In this
222*f4febd00SPatrick Williams  example it is **bmc.example.com **. (see rfc 3280 4.2.1.11 for name
223*f4febd00SPatrick Williams  constraints)
224c6623b6fSZbigniew Kurzynski
225c6623b6fSZbigniew KurzynskiBelow are fragments of generated certificates that you can compare with.
226*f4febd00SPatrick Williams
227c6623b6fSZbigniew Kurzynski```
228c6623b6fSZbigniew KurzynskiCA-cert.pem
229c6623b6fSZbigniew Kurzynski    Data:
230c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
231c6623b6fSZbigniew Kurzynski        Serial Number: 16242916899984461675 (0xe16a6edca3c34f6b)
232c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
233c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
234c6623b6fSZbigniew Kurzynski        Validity
235c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:40:48 2020 GMT
236c6623b6fSZbigniew Kurzynski            Not After : Feb  5 11:40:48 2023 GMT
237c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
238c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
239c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
240c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
241c6623b6fSZbigniew Kurzynski                Modulus:
242c6623b6fSZbigniew Kurzynski                    00:d4:24:c1:1d:ac:85:8c:5b:42:e4:f8:a8:d8:7c:
243c6623b6fSZbigniew Kurzynski                    ...
244c6623b6fSZbigniew Kurzynski                    55:83:8b:aa:ac:ac:6e:e3:01:2b:ce:f7:ee:87:21:
245c6623b6fSZbigniew Kurzynski                    f9:2b
246c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
247c6623b6fSZbigniew Kurzynski        X509v3 extensions:
248c6623b6fSZbigniew Kurzynski            X509v3 Subject Key Identifier:
249c6623b6fSZbigniew Kurzynski                ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
250c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
251c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
252c6623b6fSZbigniew Kurzynski
253c6623b6fSZbigniew Kurzynski            X509v3 Basic Constraints:
254c6623b6fSZbigniew Kurzynski                CA:TRUE
255c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
256c6623b6fSZbigniew Kurzynski         cc:8b:61:6a:55:60:2b:26:55:9f:a6:0c:42:b0:47:d4:ec:e0:
257c6623b6fSZbigniew Kurzynski         ...
258c6623b6fSZbigniew Kurzynski         45:47:91:62:10:bd:3e:a8:da:98:33:65:cc:11:23:95:06:1b:
259c6623b6fSZbigniew Kurzynski         ee:d3:78:84
260c6623b6fSZbigniew Kurzynski```
261*f4febd00SPatrick Williams
262c6623b6fSZbigniew Kurzynski```
263c6623b6fSZbigniew Kurzynskiclient-cert.pem
264c6623b6fSZbigniew Kurzynski    Data:
265c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
266c6623b6fSZbigniew Kurzynski        Serial Number: 10150871893861973895 (0x8cdf2434b223bf87)
267c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
268c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=California, L=San Francisco, O=Intel, CN=Test CA
269c6623b6fSZbigniew Kurzynski        Validity
270c6623b6fSZbigniew Kurzynski            Not Before: May 11 11:42:58 2020 GMT
271c6623b6fSZbigniew Kurzynski            Not After : May 11 11:42:58 2021 GMT
272c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=California, L=San Francisco, O=Intel, CN=root
273c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
274c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
275c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
276c6623b6fSZbigniew Kurzynski                Modulus:
277c6623b6fSZbigniew Kurzynski                    00:cf:d6:d0:a2:09:62:df:e9:a9:b1:e1:3d:7f:2f:
278c6623b6fSZbigniew Kurzynski                    ...
279c6623b6fSZbigniew Kurzynski                    30:7b:48:dc:c5:2c:3f:a9:c0:d1:b6:04:d4:1a:c8:
280c6623b6fSZbigniew Kurzynski                    8a:51
281c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
282c6623b6fSZbigniew Kurzynski        X509v3 extensions:
283c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
284c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
285c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
286c6623b6fSZbigniew Kurzynski                TLS Web Client Authentication
287c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
288c6623b6fSZbigniew Kurzynski                keyid:ED:FF:80:A7:F8:DA:99:7F:94:35:95:F0:92:74:1A:55:CD:DF:BA:FE
289c6623b6fSZbigniew Kurzynski
290c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
291c6623b6fSZbigniew Kurzynski         7f:a4:57:f5:97:48:2a:c4:8e:d3:ef:d8:a1:c9:65:1b:20:fd:
292c6623b6fSZbigniew Kurzynski         ...
293c6623b6fSZbigniew Kurzynski         25:cb:5e:0a:37:fb:a1:ab:b0:c4:62:fe:51:d3:1c:1b:fb:11:
294c6623b6fSZbigniew Kurzynski         56:57:4c:6a
295c6623b6fSZbigniew Kurzynski```
296*f4febd00SPatrick Williams
297c6623b6fSZbigniew Kurzynski```
298c6623b6fSZbigniew Kurzynskiserver-cert.pem
299c6623b6fSZbigniew Kurzynski    Data:
300c6623b6fSZbigniew Kurzynski        Version: 3 (0x2)
301c6623b6fSZbigniew Kurzynski        Serial Number: 10622848005881387807 (0x936beffaa586db1f)
302c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
303c6623b6fSZbigniew Kurzynski        Issuer: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
304c6623b6fSZbigniew Kurzynski        Validity
305c6623b6fSZbigniew Kurzynski            Not Before: May 22 13:46:02 2020 GMT
306c6623b6fSZbigniew Kurzynski            Not After : May 22 13:46:02 2021 GMT
307c6623b6fSZbigniew Kurzynski        Subject: C=US, ST=z, L=z, O=z, OU=z, CN=bmc.example.com
308c6623b6fSZbigniew Kurzynski        Subject Public Key Info:
309c6623b6fSZbigniew Kurzynski            Public Key Algorithm: rsaEncryption
310c6623b6fSZbigniew Kurzynski                Public-Key: (2048 bit)
311c6623b6fSZbigniew Kurzynski                Modulus:
312c6623b6fSZbigniew Kurzynski                    00:d9:34:9c:da:83:c6:eb:af:8f:e8:11:56:2a:59:
313c6623b6fSZbigniew Kurzynski                    ...
314c6623b6fSZbigniew Kurzynski                    92:60:09:fc:f9:66:82:d0:27:03:44:2f:9d:6d:c0:
315c6623b6fSZbigniew Kurzynski                    a5:6d
316c6623b6fSZbigniew Kurzynski                Exponent: 65537 (0x10001)
317c6623b6fSZbigniew Kurzynski        X509v3 extensions:
318c6623b6fSZbigniew Kurzynski            X509v3 Key Usage:
319c6623b6fSZbigniew Kurzynski                Digital Signature, Key Agreement
320c6623b6fSZbigniew Kurzynski            X509v3 Extended Key Usage:
321c6623b6fSZbigniew Kurzynski                TLS Web Server Authentication
322c6623b6fSZbigniew Kurzynski            X509v3 Authority Key Identifier:
323c6623b6fSZbigniew Kurzynski                keyid:5B:1D:0E:76:CC:54:B8:BF:AE:46:10:43:6F:79:0B:CA:14:5C:E0:90
324c6623b6fSZbigniew Kurzynski
325c6623b6fSZbigniew Kurzynski    Signature Algorithm: sha256WithRSAEncryption
326c6623b6fSZbigniew Kurzynski         bf:41:e2:2f:87:44:25:d8:54:9c:4e:dc:cc:b3:f9:af:5a:a3:
327c6623b6fSZbigniew Kurzynski         ...
328c6623b6fSZbigniew Kurzynski         ef:0f:90:a6
329c6623b6fSZbigniew Kurzynski
330c6623b6fSZbigniew Kurzynski```
331c6623b6fSZbigniew Kurzynski
332c6623b6fSZbigniew Kurzynski## Installing CA certificate on OpenBMC
333c6623b6fSZbigniew Kurzynski
334c6623b6fSZbigniew KurzynskiThe CA certificate can be installed via Redfish Service. The file `CA-cert.pem`
335*f4febd00SPatrick Williamscan not be uploaded directly but must be sent embedded in a valid JSON string,
336*f4febd00SPatrick Williamswhich requires `\`, `"`, and control characters must be escaped. This means all
337*f4febd00SPatrick Williamscontent is placed in a single string on a single line by encoding the line
338*f4febd00SPatrick Williamsendings as `\n`. The command below prepares a whole POST body and puts it into a
339*f4febd00SPatrick Williamsfile named: `install_ca.json`.
340c6623b6fSZbigniew Kurzynski
341c6623b6fSZbigniew Kurzynski```
342c6623b6fSZbigniew Kurzynskicat << END > install_ca.json
343c6623b6fSZbigniew Kurzynski{
344c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat CA-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
345c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
346c6623b6fSZbigniew Kurzynski}
347c6623b6fSZbigniew KurzynskiEND
348c6623b6fSZbigniew Kurzynski```
349c6623b6fSZbigniew Kurzynski
350c6623b6fSZbigniew KurzynskiTo install the CA certificate on the OpenBMC server post the content of
351c6623b6fSZbigniew Kurzynski`install_ca.json` with this command:
352c6623b6fSZbigniew Kurzynski
353*f4febd00SPatrick WilliamsWhere `${bmc}` should be `bmc.example.com`. It is convenient to export it as an
354*f4febd00SPatrick Williamsenvironment variable.
355c6623b6fSZbigniew Kurzynski
356c6623b6fSZbigniew Kurzynski```
357c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @install_ca.json -k -X POST https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
358c6623b6fSZbigniew Kurzynski
359c6623b6fSZbigniew Kurzynski```
360c6623b6fSZbigniew Kurzynski
361c6623b6fSZbigniew KurzynskiCredentials `root:0penBmc` can be replaced with any system user name and
362c6623b6fSZbigniew Kurzynskipassword of your choice but with proper access rights to resources used here.
363c6623b6fSZbigniew Kurzynski
364*f4febd00SPatrick WilliamsAfter successful certificate installation you should get positive HTTP response
365*f4febd00SPatrick Williamsand a new certificate should be available under this resource collection.
366c6623b6fSZbigniew Kurzynski
367c6623b6fSZbigniew Kurzynski```
368c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
369c6623b6fSZbigniew Kurzynski
370c6623b6fSZbigniew Kurzynski```
371c6623b6fSZbigniew Kurzynski
372*f4febd00SPatrick WilliamsAn auto-generated self-signed server certificate is already present on OpenBMC
373*f4febd00SPatrick Williamsby default. To use the certificate signed by our CA it must be replaced.
374*f4febd00SPatrick WilliamsAdditionally we must upload to OpenBMC the private key that was used to sign the
375*f4febd00SPatrick Williamsserver certificate. A proper message mody can be prepared the with this command:
376c6623b6fSZbigniew Kurzynski
377c6623b6fSZbigniew Kurzynski```
378c6623b6fSZbigniew Kurzynskicat << END > replace_cert.json
379c6623b6fSZbigniew Kurzynski{
380c6623b6fSZbigniew Kurzynski  "CertificateString":"$(cat server-key.pem server-cert.pem | sed -n -e '1h;1!H;${x;s/\n/\\n/g;p;}')",
381c6623b6fSZbigniew Kurzynski   "CertificateUri":
382c6623b6fSZbigniew Kurzynski   {
383c6623b6fSZbigniew Kurzynski      "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
384c6623b6fSZbigniew Kurzynski   },
385c6623b6fSZbigniew Kurzynski  "CertificateType": "PEM"
386c6623b6fSZbigniew Kurzynski}
387c6623b6fSZbigniew KurzynskiEND
388c6623b6fSZbigniew Kurzynski```
389c6623b6fSZbigniew Kurzynski
390c6623b6fSZbigniew KurzynskiTo replace the server certificate on the OpenBMC server post the content of
391c6623b6fSZbigniew Kurzynski`replace_cert.json` with this command:
392c6623b6fSZbigniew Kurzynski
393c6623b6fSZbigniew Kurzynski```
394c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -d @replace_cert.json -k -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
395c6623b6fSZbigniew Kurzynski
396c6623b6fSZbigniew Kurzynski```
397c6623b6fSZbigniew Kurzynski
398c6623b6fSZbigniew Kurzynski## Enable TLS authentication
399c6623b6fSZbigniew Kurzynski
400c6623b6fSZbigniew KurzynskiTo check current state of the TLS authentication method use this command:
401c6623b6fSZbigniew Kurzynski
402c6623b6fSZbigniew Kurzynski```
403c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc -k https://${bmc}/redfish/v1/AccountService
404c6623b6fSZbigniew Kurzynski```
405*f4febd00SPatrick Williams
406c6623b6fSZbigniew Kurzynskiand verify that the attribute `Oem->OpenBMC->AuthMethods->TLS` is set to true.
407c6623b6fSZbigniew Kurzynski
408c6623b6fSZbigniew KurzynskiTo enable TLS authentication use this command:
409c6623b6fSZbigniew Kurzynski
410c6623b6fSZbigniew Kurzynski```
411c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc  -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": true} } } }' https://${bmc}/redfish/v1/AccountService
412c6623b6fSZbigniew Kurzynski```
413c6623b6fSZbigniew Kurzynski
414c6623b6fSZbigniew KurzynskiTo disable TLS authentication use this command:
415c6623b6fSZbigniew Kurzynski
416c6623b6fSZbigniew Kurzynski```
417c6623b6fSZbigniew Kurzynskicurl --user root:0penBmc  -k -X PATCH -H "ContentType:application/json" --data '{"Oem": {"OpenBMC": {"AuthMethods": { "TLS": false} } } }' https://${bmc}/redfish/v1/AccountService
418c6623b6fSZbigniew Kurzynski```
419c6623b6fSZbigniew Kurzynski
420c6623b6fSZbigniew KurzynskiOther authentication methods like basic authentication can be enabled or
421*f4febd00SPatrick Williamsdisabled as well using the same mechanism. All supported authentication methods
422*f4febd00SPatrick Williamsare available under attribute `Oem->OpenBMC->AuthMethods` of the
423c6623b6fSZbigniew Kurzynski`/redfish/v1/AccountService` resource.
424c6623b6fSZbigniew Kurzynski
425c6623b6fSZbigniew Kurzynski## Using TLS to access OpenBMC resources
426c6623b6fSZbigniew Kurzynski
427*f4febd00SPatrick WilliamsIf TLS is enabled, valid CA certificate was uploaded and the server certificate
428*f4febd00SPatrick Williamswas replaced it should be possible to execute curl requests using only client
429*f4febd00SPatrick Williamscertificate, key, and CA like below.
430c6623b6fSZbigniew Kurzynski
431c6623b6fSZbigniew Kurzynski```
432c6623b6fSZbigniew Kurzynskicurl --cert client-cert.pem --key client-key.pem -vvv --cacert CA-cert.pem https://${bmc}/redfish/v1/SessionService/Sessions
433c6623b6fSZbigniew Kurzynski```
434*f4febd00SPatrick Williams
435c6623b6fSZbigniew Kurzynski## Common mistakes during TLS configuration
436c6623b6fSZbigniew Kurzynski
437*f4febd00SPatrick Williams- Invalid date and time on OpenBMC,
438c6623b6fSZbigniew Kurzynski
439*f4febd00SPatrick Williams- Testing Redfish resources, like `https://${bmc}/redfish/v1` which are always
440*f4febd00SPatrick Williams  available without any authentication will always result with success, even
441*f4febd00SPatrick Williams  when TLS is disabled or certificates are invalid.
442c6623b6fSZbigniew Kurzynski
443*f4febd00SPatrick Williams- Certificates do not meet the requirements. See paragraphs
444c6623b6fSZbigniew Kurzynski  [Verify certificates](#Verify-certificates).
445c6623b6fSZbigniew Kurzynski
446*f4febd00SPatrick Williams- Attempting to load the same certificate twice will end up with an error.
447b685fd04SJohn Edward Broadbent
448*f4febd00SPatrick Williams- Not having phosphor-bmcweb-cert-config in the build.
449