1609448f2SRahul Maheshwari## Steps to create and install CA signed certificate 2609448f2SRahul Maheshwari 3609448f2SRahul MaheshwariTo create and install a CA signed server certificate, follow these steps: 4609448f2SRahul Maheshwari 5609448f2SRahul MaheshwariA. Create your own SSL certificate authority 6609448f2SRahul MaheshwariB. Generate CSR for server certificate 7609448f2SRahul MaheshwariC. Create CA signed server certificate using CSR request 8609448f2SRahul MaheshwariD. Install CA signed server certificate 9609448f2SRahul Maheshwari 10609448f2SRahul Maheshwari**Create your own SSL certificate authority** 11609448f2SRahul Maheshwari 12609448f2SRahul Maheshwari1. Create private key for certificate authority(CA). 13609448f2SRahul Maheshwari 14609448f2SRahul Maheshwari 15609448f2SRahul Maheshwari```openssl genrsa -des3 -out rootCA.key 2048``` 16609448f2SRahul Maheshwari 17609448f2SRahul MaheshwariNote: You will be prompted to give a password for private key. This password will be used whenever the private key is used. 18609448f2SRahul Maheshwari 19609448f2SRahul Maheshwari 20609448f2SRahul Maheshwari2. Create a root CA certificate using the private key created in step 1. 21609448f2SRahul Maheshwari 22609448f2SRahul Maheshwari```openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem``` 23609448f2SRahul Maheshwari 24609448f2SRahul MaheshwariThis will start an interactive script to enter information that will be incorporated into your certificate request. 25609448f2SRahul Maheshwari 26609448f2SRahul Maheshwari``` 27609448f2SRahul MaheshwariYou are about to be asked to enter information that will be incorporated 28609448f2SRahul Maheshwariinto your certificate request. 29609448f2SRahul MaheshwariWhat you are about to enter is what is called a Distinguished Name or a DN. 30609448f2SRahul MaheshwariThere are quite a few fields but you can leave some blank 31609448f2SRahul MaheshwariFor some fields there will be a default value, 32609448f2SRahul MaheshwariIf you enter '.', the field will be left blank. 33609448f2SRahul Maheshwari----- 34609448f2SRahul MaheshwariCountry Name (2 letter code) [AU]:US 35609448f2SRahul MaheshwariState or Province Name (full name) [Some-State]:Oregon 36609448f2SRahul MaheshwariLocality Name (eg, city) []:Portland 37*2600f860SRahul MaheshwariOrganization Name (eg, company) [Default Company Ltd]:XYZ 38609448f2SRahul MaheshwariOrganizational Unit Name (eg, section) []:IT 39*2600f860SRahul MaheshwariCommon Name (eg, YOUR name) []:XYZ CERTIFICATE AUTHORITY 40609448f2SRahul MaheshwariEmail Address []:none@none.com 41609448f2SRahul Maheshwari``` 42609448f2SRahul Maheshwari 43609448f2SRahul Maheshwari**Generate CSR for server certificate** 44609448f2SRahul Maheshwari 45609448f2SRahul Maheshwari1. Create CSR request file (csr_file.json) with all of the following fields. 46609448f2SRahul Maheshwari 47609448f2SRahul Maheshwari``` 48609448f2SRahul Maheshwari{ 49609448f2SRahul Maheshwari "City": <City Name>, 50609448f2SRahul Maheshwari "CertificateCollection": { 51609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 52609448f2SRahul Maheshwari }, 53609448f2SRahul Maheshwari "CommonName": "<BMC_IP>", 54609448f2SRahul Maheshwari "Country": <Country Name>, 55609448f2SRahul Maheshwari "Organization": <Organization Name>, 56609448f2SRahul Maheshwari "OrganizationalUnit": <Organization Unit Name>, 57609448f2SRahul Maheshwari "State": <State Name>, 58609448f2SRahul Maheshwari "KeyPairAlgorithm": <RSA/EC> 59609448f2SRahul Maheshwari} 60609448f2SRahul Maheshwari``` 61609448f2SRahul Maheshwari 62609448f2SRahul MaheshwariExample: 63609448f2SRahul Maheshwari``` 64609448f2SRahul Maheshwari{ 65609448f2SRahul Maheshwari "City": "Austin", 66609448f2SRahul Maheshwari "CertificateCollection": { 67609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 68609448f2SRahul Maheshwari }, 69*2600f860SRahul Maheshwari "CommonName": "xx.xx.xx.xx", 70609448f2SRahul Maheshwari "Country": "US", 71*2600f860SRahul Maheshwari "Organization": "ABC Limited", 72*2600f860SRahul Maheshwari "OrganizationalUnit": "IT", 73609448f2SRahul Maheshwari "State": "AU", 74609448f2SRahul Maheshwari "KeyPairAlgorithm": "RSA" 75609448f2SRahul Maheshwari} 76609448f2SRahul Maheshwari``` 77609448f2SRahul Maheshwari 78609448f2SRahul Maheshwari2. Generate CSR request using the following Redfish command. 79609448f2SRahul Maheshwari 80609448f2SRahul Maheshwari``` 81609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 82609448f2SRahul Maheshwari{ 83*2600f860SRahul Maheshwari "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu\neHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2\nZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM\nAkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB\nYjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe\no/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC\nOfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx\nlAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7\nvET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q\nkXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b\nr160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER\nrgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13\nu96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR\nD0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT\n+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg=\n-----END CERTIFICATE REQUEST-----\n", 84609448f2SRahul Maheshwari "CertificateCollection": { 85609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 86609448f2SRahul Maheshwari } 87609448f2SRahul Maheshwari``` 88609448f2SRahul Maheshwari 89265f77c9SGeorge Keishing3. Convert response into .csr file (device.csr) 90609448f2SRahul Maheshwari 91609448f2SRahul Maheshwari``` 92609448f2SRahul Maheshwari$ cat device.csr 93609448f2SRahul Maheshwari-----BEGIN CERTIFICATE REQUEST----- 94*2600f860SRahul MaheshwariMIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu 95*2600f860SRahul MaheshwarieHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2 96*2600f860SRahul MaheshwariZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM 97*2600f860SRahul MaheshwariAkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB 98*2600f860SRahul MaheshwariYjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe 99*2600f860SRahul Maheshwario/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC 100*2600f860SRahul MaheshwariOfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx 101*2600f860SRahul MaheshwarilAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7 102*2600f860SRahul MaheshwarivET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q 103*2600f860SRahul MaheshwarikXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b 104*2600f860SRahul Maheshwarir160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER 105*2600f860SRahul MaheshwarirgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13 106*2600f860SRahul Maheshwariu96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR 107*2600f860SRahul MaheshwariD0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT 108*2600f860SRahul Maheshwari+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg= 109609448f2SRahul Maheshwari-----END CERTIFICATE REQUEST----- 110609448f2SRahul Maheshwari``` 111609448f2SRahul Maheshwari 112609448f2SRahul Maheshwari**Create CA signed server certificate using CSR request** 113609448f2SRahul Maheshwari 114609448f2SRahul Maheshwari1. Use BMC generated CSR request (device.csr) to generate CA signed certificate (device.crt). 115609448f2SRahul Maheshwari``` 116609448f2SRahul Maheshwariopenssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 117609448f2SRahul Maheshwari``` 118*2600f860SRahul MaheshwariNote: You will be prompted to give a password for private key. 119609448f2SRahul Maheshwari 120609448f2SRahul Maheshwari 121609448f2SRahul Maheshwari2. Create JSON file (certificate.json) with the device.crt file created in step 1. 122609448f2SRahul Maheshwari 123609448f2SRahul Maheshwari``` 124609448f2SRahul Maheshwari$ cat certificate.json 125609448f2SRahul Maheshwari{ 126*2600f860SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----", 127609448f2SRahul Maheshwari "CertificateType": "PEM", 128609448f2SRahul Maheshwari "CertificateUri": 129609448f2SRahul Maheshwari { 130609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 131609448f2SRahul Maheshwari } 132609448f2SRahul Maheshwari} 133609448f2SRahul Maheshwari``` 134609448f2SRahul Maheshwari 135609448f2SRahul Maheshwari 136609448f2SRahul Maheshwari**Install CA signed server certificate** 137609448f2SRahul Maheshwari 138609448f2SRahul MaheshwariReplace server certificate using JSON file (above) with CA signed certificate details (certificate.json). 139609448f2SRahul Maheshwari 140609448f2SRahul Maheshwari``` 141609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 142609448f2SRahul Maheshwari{ 143609448f2SRahul Maheshwari "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 144609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", 145609448f2SRahul Maheshwari "@odata.type": "#Certificate.v1_0_0.Certificate", 146*2600f860SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----\n", 147609448f2SRahul Maheshwari "Description": "HTTPS certificate", 148609448f2SRahul Maheshwari "Id": "1", 149609448f2SRahul Maheshwari "Issuer": { 150*2600f860SRahul Maheshwari "City": "Portland", 151*2600f860SRahul Maheshwari "CommonName": "XYZ CERTIFICATE AUTHORITY", 152*2600f860SRahul Maheshwari "Country": "US", 153*2600f860SRahul Maheshwari "Organization": "XYZ", 154609448f2SRahul Maheshwari "OrganizationalUnit": "IT", 155*2600f860SRahul Maheshwari "State": "Oregon" 156609448f2SRahul Maheshwari }, 157609448f2SRahul Maheshwari "KeyUsage": [], 158609448f2SRahul Maheshwari "Name": "HTTPS certificate", 159609448f2SRahul Maheshwari "Subject": { 160609448f2SRahul Maheshwari "City": "Austin", 161*2600f860SRahul Maheshwari "CommonName": "xx.xx.xx.xx", 162609448f2SRahul Maheshwari "Country": "US", 163*2600f860SRahul Maheshwari "Organization": "ABC Limited", 164609448f2SRahul Maheshwari "State": "AU" 165609448f2SRahul Maheshwari }, 166*2600f860SRahul Maheshwari "ValidNotAfter": "2021-01-23T21:13:40+00:00", 167*2600f860SRahul Maheshwari "ValidNotBefore": "2019-09-11T21:13:40+00:00" 168609448f2SRahul Maheshwari} 169609448f2SRahul Maheshwari``` 170