1609448f2SRahul Maheshwari## Steps to create and install CA signed certificate 2609448f2SRahul Maheshwari 3609448f2SRahul MaheshwariTo create and install a CA signed server certificate, follow these steps: 4609448f2SRahul Maheshwari 5609448f2SRahul MaheshwariA. Create your own SSL certificate authority 6609448f2SRahul MaheshwariB. Generate CSR for server certificate 7609448f2SRahul MaheshwariC. Create CA signed server certificate using CSR request 8609448f2SRahul MaheshwariD. Install CA signed server certificate 9609448f2SRahul Maheshwari 10609448f2SRahul Maheshwari**Create your own SSL certificate authority** 11609448f2SRahul Maheshwari 12609448f2SRahul Maheshwari1. Create private key for certificate authority(CA). 13609448f2SRahul Maheshwari 14609448f2SRahul Maheshwari 15609448f2SRahul Maheshwari```openssl genrsa -des3 -out rootCA.key 2048``` 16609448f2SRahul Maheshwari 17609448f2SRahul MaheshwariNote: You will be prompted to give a password for private key. This password will be used whenever the private key is used. 18609448f2SRahul Maheshwari 19609448f2SRahul Maheshwari 20609448f2SRahul Maheshwari2. Create a root CA certificate using the private key created in step 1. 21609448f2SRahul Maheshwari 22609448f2SRahul Maheshwari```openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem``` 23609448f2SRahul Maheshwari 24609448f2SRahul MaheshwariThis will start an interactive script to enter information that will be incorporated into your certificate request. 25609448f2SRahul Maheshwari 26609448f2SRahul Maheshwari``` 27609448f2SRahul MaheshwariYou are about to be asked to enter information that will be incorporated 28609448f2SRahul Maheshwariinto your certificate request. 29609448f2SRahul MaheshwariWhat you are about to enter is what is called a Distinguished Name or a DN. 30609448f2SRahul MaheshwariThere are quite a few fields but you can leave some blank 31609448f2SRahul MaheshwariFor some fields there will be a default value, 32609448f2SRahul MaheshwariIf you enter '.', the field will be left blank. 33609448f2SRahul Maheshwari----- 34609448f2SRahul MaheshwariCountry Name (2 letter code) [AU]:US 35609448f2SRahul MaheshwariState or Province Name (full name) [Some-State]:Oregon 36609448f2SRahul MaheshwariLocality Name (eg, city) []:Portland 37609448f2SRahul MaheshwariOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords 38609448f2SRahul MaheshwariOrganizational Unit Name (eg, section) []:IT 39609448f2SRahul MaheshwariCommon Name (eg, YOUR name) []:Data Center Overlords 40609448f2SRahul MaheshwariEmail Address []:none@none.com 41609448f2SRahul Maheshwari``` 42609448f2SRahul Maheshwari 43609448f2SRahul Maheshwari**Generate CSR for server certificate** 44609448f2SRahul Maheshwari 45609448f2SRahul Maheshwari1. Create CSR request file (csr_file.json) with all of the following fields. 46609448f2SRahul Maheshwari 47609448f2SRahul Maheshwari``` 48609448f2SRahul Maheshwari{ 49609448f2SRahul Maheshwari "City": <City Name>, 50609448f2SRahul Maheshwari "CertificateCollection": { 51609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 52609448f2SRahul Maheshwari }, 53609448f2SRahul Maheshwari "CommonName": "<BMC_IP>", 54609448f2SRahul Maheshwari "Country": <Country Name>, 55609448f2SRahul Maheshwari "Organization": <Organization Name>, 56609448f2SRahul Maheshwari "OrganizationalUnit": <Organization Unit Name>, 57609448f2SRahul Maheshwari "State": <State Name>, 58609448f2SRahul Maheshwari "KeyPairAlgorithm": <RSA/EC> 59609448f2SRahul Maheshwari} 60609448f2SRahul Maheshwari``` 61609448f2SRahul Maheshwari 62609448f2SRahul MaheshwariExample: 63609448f2SRahul Maheshwari``` 64609448f2SRahul Maheshwari{ 65609448f2SRahul Maheshwari "City": "Austin", 66609448f2SRahul Maheshwari "CertificateCollection": { 67609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 68609448f2SRahul Maheshwari }, 69609448f2SRahul Maheshwari "CommonName": "9.3.111.222", 70609448f2SRahul Maheshwari "Country": "US", 71609448f2SRahul Maheshwari "Organization": "IBM", 72609448f2SRahul Maheshwari "OrganizationalUnit": "ISL", 73609448f2SRahul Maheshwari "State": "AU", 74609448f2SRahul Maheshwari "KeyPairAlgorithm": "RSA" 75609448f2SRahul Maheshwari} 76609448f2SRahul Maheshwari``` 77609448f2SRahul Maheshwari 78609448f2SRahul Maheshwari2. Generate CSR request using the following Redfish command. 79609448f2SRahul Maheshwari 80609448f2SRahul Maheshwari``` 81609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 82609448f2SRahul Maheshwari{ 83609448f2SRahul Maheshwari "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli\nbS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEA wwJOS4zLjIxLjU1MQ8wDQYD\nVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P\nDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBA oMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq\nhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f\n4E8Cy3FdO/j3HlrlKxJ ijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI\nhvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx\ne8Xqddi9 iG7FcnULE9VLzhpr86UTZV4393+s\n-----END CERTIFICATE REQUEST-----\n", 84609448f2SRahul Maheshwari "CertificateCollection": { 85609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 86609448f2SRahul Maheshwari } 87609448f2SRahul Maheshwari} 88609448f2SRahul Maheshwari``` 89609448f2SRahul Maheshwari 90*265f77c9SGeorge Keishing3. Convert response into .csr file (device.csr) 91609448f2SRahul Maheshwari 92609448f2SRahul Maheshwari``` 93609448f2SRahul Maheshwari$ cat device.csr 94609448f2SRahul Maheshwari-----BEGIN CERTIFICATE REQUEST----- 95609448f2SRahul MaheshwariMIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli 96609448f2SRahul MaheshwaribS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEAwwJOS4zLjIxLjU1MQ8wDQYD 97609448f2SRahul MaheshwariVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P 98609448f2SRahul MaheshwariDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq 99609448f2SRahul MaheshwarihkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f 100609448f2SRahul Maheshwari4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI 101609448f2SRahul MaheshwarihvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx 102609448f2SRahul Maheshwarie8Xqddi9iG7FcnULE9VLzhpr86UTZV4393+s 103609448f2SRahul Maheshwari-----END CERTIFICATE REQUEST----- 104609448f2SRahul Maheshwari``` 105609448f2SRahul Maheshwari 106609448f2SRahul Maheshwari**Create CA signed server certificate using CSR request** 107609448f2SRahul Maheshwari 108609448f2SRahul Maheshwari1. Use BMC generated CSR request (device.csr) to generate CA signed certificate (device.crt). 109609448f2SRahul Maheshwari``` 110609448f2SRahul Maheshwariopenssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 111609448f2SRahul Maheshwari``` 112609448f2SRahul Maheshwari 113609448f2SRahul Maheshwari 114609448f2SRahul Maheshwari2. Create JSON file (certificate.json) with the device.crt file created in step 1. 115609448f2SRahul Maheshwari 116609448f2SRahul Maheshwari``` 117609448f2SRahul Maheshwari$ cat certificate.json 118609448f2SRahul Maheshwari{ 119609448f2SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 120609448f2SRahul Maheshwari "CertificateType": "PEM", 121609448f2SRahul Maheshwari "CertificateUri": 122609448f2SRahul Maheshwari { 123609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 124609448f2SRahul Maheshwari } 125609448f2SRahul Maheshwari} 126609448f2SRahul Maheshwari``` 127609448f2SRahul Maheshwari 128609448f2SRahul Maheshwari 129609448f2SRahul Maheshwari**Install CA signed server certificate** 130609448f2SRahul Maheshwari 131609448f2SRahul MaheshwariReplace server certificate using JSON file (above) with CA signed certificate details (certificate.json). 132609448f2SRahul Maheshwari 133609448f2SRahul Maheshwari``` 134609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 135609448f2SRahul Maheshwari{ 136609448f2SRahul Maheshwari "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 137609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", 138609448f2SRahul Maheshwari "@odata.type": "#Certificate.v1_0_0.Certificate", 139609448f2SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 140609448f2SRahul Maheshwari "Description": "HTTPS certificate", 141609448f2SRahul Maheshwari "Id": "1", 142609448f2SRahul Maheshwari "Issuer": { 143609448f2SRahul Maheshwari "City": "DELHI", 144609448f2SRahul Maheshwari "CommonName": "Data Center Overlords", 145609448f2SRahul Maheshwari "Country": "IN", 146609448f2SRahul Maheshwari "Organization": "CERTIFICATE AUTHORITY", 147609448f2SRahul Maheshwari "OrganizationalUnit": "IT", 148609448f2SRahul Maheshwari "State": "DELHI" 149609448f2SRahul Maheshwari }, 150609448f2SRahul Maheshwari "KeyUsage": [], 151609448f2SRahul Maheshwari "Name": "HTTPS certificate", 152609448f2SRahul Maheshwari "Subject": { 153609448f2SRahul Maheshwari "City": "Austin", 154609448f2SRahul Maheshwari "CommonName": "9.3.111.222", 155609448f2SRahul Maheshwari "Country": "US", 156609448f2SRahul Maheshwari "Organization": "IBM", 157609448f2SRahul Maheshwari "State": "AU" 158609448f2SRahul Maheshwari }, 159609448f2SRahul Maheshwari "ValidNotAfter": "2020-11-07T23:17:36+00:00", 160609448f2SRahul Maheshwari "ValidNotBefore": "2019-06-26T23:17:36+00:00" 161609448f2SRahul Maheshwari} 162609448f2SRahul Maheshwari``` 163