1*609448f2SRahul Maheshwari## Steps to create and install CA signed certificate 2*609448f2SRahul Maheshwari 3*609448f2SRahul MaheshwariTo create and install a CA signed server certificate, follow these steps: 4*609448f2SRahul Maheshwari 5*609448f2SRahul MaheshwariA. Create your own SSL certificate authority 6*609448f2SRahul MaheshwariB. Generate CSR for server certificate 7*609448f2SRahul MaheshwariC. Create CA signed server certificate using CSR request 8*609448f2SRahul MaheshwariD. Install CA signed server certificate 9*609448f2SRahul Maheshwari 10*609448f2SRahul Maheshwari**Create your own SSL certificate authority** 11*609448f2SRahul Maheshwari 12*609448f2SRahul Maheshwari1. Create private key for certificate authority(CA). 13*609448f2SRahul Maheshwari 14*609448f2SRahul Maheshwari 15*609448f2SRahul Maheshwari```openssl genrsa -des3 -out rootCA.key 2048``` 16*609448f2SRahul Maheshwari 17*609448f2SRahul MaheshwariNote: You will be prompted to give a password for private key. This password will be used whenever the private key is used. 18*609448f2SRahul Maheshwari 19*609448f2SRahul Maheshwari 20*609448f2SRahul Maheshwari2. Create a root CA certificate using the private key created in step 1. 21*609448f2SRahul Maheshwari 22*609448f2SRahul Maheshwari```openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem``` 23*609448f2SRahul Maheshwari 24*609448f2SRahul MaheshwariThis will start an interactive script to enter information that will be incorporated into your certificate request. 25*609448f2SRahul Maheshwari 26*609448f2SRahul Maheshwari``` 27*609448f2SRahul MaheshwariYou are about to be asked to enter information that will be incorporated 28*609448f2SRahul Maheshwariinto your certificate request. 29*609448f2SRahul MaheshwariWhat you are about to enter is what is called a Distinguished Name or a DN. 30*609448f2SRahul MaheshwariThere are quite a few fields but you can leave some blank 31*609448f2SRahul MaheshwariFor some fields there will be a default value, 32*609448f2SRahul MaheshwariIf you enter '.', the field will be left blank. 33*609448f2SRahul Maheshwari----- 34*609448f2SRahul MaheshwariCountry Name (2 letter code) [AU]:US 35*609448f2SRahul MaheshwariState or Province Name (full name) [Some-State]:Oregon 36*609448f2SRahul MaheshwariLocality Name (eg, city) []:Portland 37*609448f2SRahul MaheshwariOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords 38*609448f2SRahul MaheshwariOrganizational Unit Name (eg, section) []:IT 39*609448f2SRahul MaheshwariCommon Name (eg, YOUR name) []:Data Center Overlords 40*609448f2SRahul MaheshwariEmail Address []:none@none.com 41*609448f2SRahul Maheshwari``` 42*609448f2SRahul Maheshwari 43*609448f2SRahul Maheshwari**Generate CSR for server certificate** 44*609448f2SRahul Maheshwari 45*609448f2SRahul Maheshwari1. Create CSR request file (csr_file.json) with all of the following fields. 46*609448f2SRahul Maheshwari 47*609448f2SRahul Maheshwari``` 48*609448f2SRahul Maheshwari{ 49*609448f2SRahul Maheshwari "City": <City Name>, 50*609448f2SRahul Maheshwari "CertificateCollection": { 51*609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 52*609448f2SRahul Maheshwari }, 53*609448f2SRahul Maheshwari "CommonName": "<BMC_IP>", 54*609448f2SRahul Maheshwari "Country": <Country Name>, 55*609448f2SRahul Maheshwari "Organization": <Organization Name>, 56*609448f2SRahul Maheshwari "OrganizationalUnit": <Organization Unit Name>, 57*609448f2SRahul Maheshwari "State": <State Name>, 58*609448f2SRahul Maheshwari "KeyPairAlgorithm": <RSA/EC> 59*609448f2SRahul Maheshwari} 60*609448f2SRahul Maheshwari``` 61*609448f2SRahul Maheshwari 62*609448f2SRahul MaheshwariExample: 63*609448f2SRahul Maheshwari``` 64*609448f2SRahul Maheshwari{ 65*609448f2SRahul Maheshwari "City": "Austin", 66*609448f2SRahul Maheshwari "CertificateCollection": { 67*609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 68*609448f2SRahul Maheshwari }, 69*609448f2SRahul Maheshwari "CommonName": "9.3.111.222", 70*609448f2SRahul Maheshwari "Country": "US", 71*609448f2SRahul Maheshwari "Organization": "IBM", 72*609448f2SRahul Maheshwari "OrganizationalUnit": "ISL", 73*609448f2SRahul Maheshwari "State": "AU", 74*609448f2SRahul Maheshwari "KeyPairAlgorithm": "RSA" 75*609448f2SRahul Maheshwari} 76*609448f2SRahul Maheshwari``` 77*609448f2SRahul Maheshwari 78*609448f2SRahul Maheshwari2. Generate CSR request using the following Redfish command. 79*609448f2SRahul Maheshwari 80*609448f2SRahul Maheshwari``` 81*609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 82*609448f2SRahul Maheshwari{ 83*609448f2SRahul Maheshwari "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli\nbS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEA wwJOS4zLjIxLjU1MQ8wDQYD\nVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P\nDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBA oMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq\nhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f\n4E8Cy3FdO/j3HlrlKxJ ijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI\nhvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx\ne8Xqddi9 iG7FcnULE9VLzhpr86UTZV4393+s\n-----END CERTIFICATE REQUEST-----\n", 84*609448f2SRahul Maheshwari "CertificateCollection": { 85*609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 86*609448f2SRahul Maheshwari } 87*609448f2SRahul Maheshwari} 88*609448f2SRahul Maheshwari``` 89*609448f2SRahul Maheshwari 90*609448f2SRahul Maheshwari4. Convert response into .csr file (device.csr) 91*609448f2SRahul Maheshwari 92*609448f2SRahul Maheshwari``` 93*609448f2SRahul Maheshwari$ cat device.csr 94*609448f2SRahul Maheshwari-----BEGIN CERTIFICATE REQUEST----- 95*609448f2SRahul MaheshwariMIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli 96*609448f2SRahul MaheshwaribS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEAwwJOS4zLjIxLjU1MQ8wDQYD 97*609448f2SRahul MaheshwariVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P 98*609448f2SRahul MaheshwariDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq 99*609448f2SRahul MaheshwarihkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f 100*609448f2SRahul Maheshwari4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI 101*609448f2SRahul MaheshwarihvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx 102*609448f2SRahul Maheshwarie8Xqddi9iG7FcnULE9VLzhpr86UTZV4393+s 103*609448f2SRahul Maheshwari-----END CERTIFICATE REQUEST----- 104*609448f2SRahul Maheshwari``` 105*609448f2SRahul Maheshwari 106*609448f2SRahul Maheshwari**Create CA signed server certificate using CSR request** 107*609448f2SRahul Maheshwari 108*609448f2SRahul Maheshwari1. Use BMC generated CSR request (device.csr) to generate CA signed certificate (device.crt). 109*609448f2SRahul Maheshwari``` 110*609448f2SRahul Maheshwariopenssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 111*609448f2SRahul Maheshwari``` 112*609448f2SRahul Maheshwari 113*609448f2SRahul Maheshwari 114*609448f2SRahul Maheshwari2. Create JSON file (certificate.json) with the device.crt file created in step 1. 115*609448f2SRahul Maheshwari 116*609448f2SRahul Maheshwari``` 117*609448f2SRahul Maheshwari$ cat certificate.json 118*609448f2SRahul Maheshwari{ 119*609448f2SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 120*609448f2SRahul Maheshwari "CertificateType": "PEM", 121*609448f2SRahul Maheshwari "CertificateUri": 122*609448f2SRahul Maheshwari { 123*609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 124*609448f2SRahul Maheshwari } 125*609448f2SRahul Maheshwari} 126*609448f2SRahul Maheshwari``` 127*609448f2SRahul Maheshwari 128*609448f2SRahul Maheshwari 129*609448f2SRahul Maheshwari**Install CA signed server certificate** 130*609448f2SRahul Maheshwari 131*609448f2SRahul MaheshwariReplace server certificate using JSON file (above) with CA signed certificate details (certificate.json). 132*609448f2SRahul Maheshwari 133*609448f2SRahul Maheshwari``` 134*609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 135*609448f2SRahul Maheshwari{ 136*609448f2SRahul Maheshwari "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 137*609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", 138*609448f2SRahul Maheshwari "@odata.type": "#Certificate.v1_0_0.Certificate", 139*609448f2SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 140*609448f2SRahul Maheshwari "Description": "HTTPS certificate", 141*609448f2SRahul Maheshwari "Id": "1", 142*609448f2SRahul Maheshwari "Issuer": { 143*609448f2SRahul Maheshwari "City": "DELHI", 144*609448f2SRahul Maheshwari "CommonName": "Data Center Overlords", 145*609448f2SRahul Maheshwari "Country": "IN", 146*609448f2SRahul Maheshwari "Organization": "CERTIFICATE AUTHORITY", 147*609448f2SRahul Maheshwari "OrganizationalUnit": "IT", 148*609448f2SRahul Maheshwari "State": "DELHI" 149*609448f2SRahul Maheshwari }, 150*609448f2SRahul Maheshwari "KeyUsage": [], 151*609448f2SRahul Maheshwari "Name": "HTTPS certificate", 152*609448f2SRahul Maheshwari "Subject": { 153*609448f2SRahul Maheshwari "City": "Austin", 154*609448f2SRahul Maheshwari "CommonName": "9.3.111.222", 155*609448f2SRahul Maheshwari "Country": "US", 156*609448f2SRahul Maheshwari "Organization": "IBM", 157*609448f2SRahul Maheshwari "State": "AU" 158*609448f2SRahul Maheshwari }, 159*609448f2SRahul Maheshwari "ValidNotAfter": "2020-11-07T23:17:36+00:00", 160*609448f2SRahul Maheshwari "ValidNotBefore": "2019-06-26T23:17:36+00:00" 161*609448f2SRahul Maheshwari} 162*609448f2SRahul Maheshwari``` 163