1609448f2SRahul Maheshwari## Steps to create and install CA signed certificate 2609448f2SRahul Maheshwari 3609448f2SRahul MaheshwariTo create and install a CA signed server certificate, follow these steps: 4609448f2SRahul Maheshwari 5609448f2SRahul MaheshwariA. Create your own SSL certificate authority 6*8293423dSRahul Maheshwari 7609448f2SRahul MaheshwariB. Generate CSR for server certificate 8*8293423dSRahul Maheshwari 9609448f2SRahul MaheshwariC. Create CA signed server certificate using CSR request 10*8293423dSRahul Maheshwari 11609448f2SRahul MaheshwariD. Install CA signed server certificate 12609448f2SRahul Maheshwari 13*8293423dSRahul Maheshwari 14609448f2SRahul Maheshwari**Create your own SSL certificate authority** 15609448f2SRahul Maheshwari 16609448f2SRahul Maheshwari1. Create private key for certificate authority(CA). 17609448f2SRahul Maheshwari 18609448f2SRahul Maheshwari 19609448f2SRahul Maheshwari```openssl genrsa -des3 -out rootCA.key 2048``` 20609448f2SRahul Maheshwari 21609448f2SRahul MaheshwariNote: You will be prompted to give a password for private key. This password will be used whenever the private key is used. 22609448f2SRahul Maheshwari 23609448f2SRahul Maheshwari 24609448f2SRahul Maheshwari2. Create a root CA certificate using the private key created in step 1. 25609448f2SRahul Maheshwari 26609448f2SRahul Maheshwari```openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem``` 27609448f2SRahul Maheshwari 28609448f2SRahul MaheshwariThis will start an interactive script to enter information that will be incorporated into your certificate request. 29609448f2SRahul Maheshwari 30609448f2SRahul Maheshwari``` 31609448f2SRahul MaheshwariYou are about to be asked to enter information that will be incorporated 32609448f2SRahul Maheshwariinto your certificate request. 33609448f2SRahul MaheshwariWhat you are about to enter is what is called a Distinguished Name or a DN. 34609448f2SRahul MaheshwariThere are quite a few fields but you can leave some blank 35609448f2SRahul MaheshwariFor some fields there will be a default value, 36609448f2SRahul MaheshwariIf you enter '.', the field will be left blank. 37609448f2SRahul Maheshwari----- 38609448f2SRahul MaheshwariCountry Name (2 letter code) [AU]:US 39609448f2SRahul MaheshwariState or Province Name (full name) [Some-State]:Oregon 40609448f2SRahul MaheshwariLocality Name (eg, city) []:Portland 412600f860SRahul MaheshwariOrganization Name (eg, company) [Default Company Ltd]:XYZ 42609448f2SRahul MaheshwariOrganizational Unit Name (eg, section) []:IT 432600f860SRahul MaheshwariCommon Name (eg, YOUR name) []:XYZ CERTIFICATE AUTHORITY 44609448f2SRahul MaheshwariEmail Address []:none@none.com 45609448f2SRahul Maheshwari``` 46609448f2SRahul Maheshwari 47609448f2SRahul Maheshwari**Generate CSR for server certificate** 48609448f2SRahul Maheshwari 49609448f2SRahul Maheshwari1. Create CSR request file (csr_file.json) with all of the following fields. 50609448f2SRahul Maheshwari 51609448f2SRahul Maheshwari``` 52609448f2SRahul Maheshwari{ 53609448f2SRahul Maheshwari "City": <City Name>, 54609448f2SRahul Maheshwari "CertificateCollection": { 55609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 56609448f2SRahul Maheshwari }, 57609448f2SRahul Maheshwari "CommonName": "<BMC_IP>", 58609448f2SRahul Maheshwari "Country": <Country Name>, 59609448f2SRahul Maheshwari "Organization": <Organization Name>, 60609448f2SRahul Maheshwari "OrganizationalUnit": <Organization Unit Name>, 61609448f2SRahul Maheshwari "State": <State Name>, 62609448f2SRahul Maheshwari "KeyPairAlgorithm": <RSA/EC> 63609448f2SRahul Maheshwari} 64609448f2SRahul Maheshwari``` 65609448f2SRahul Maheshwari 66609448f2SRahul MaheshwariExample: 67609448f2SRahul Maheshwari``` 68609448f2SRahul Maheshwari{ 69609448f2SRahul Maheshwari "City": "Austin", 70609448f2SRahul Maheshwari "CertificateCollection": { 71609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 72609448f2SRahul Maheshwari }, 732600f860SRahul Maheshwari "CommonName": "xx.xx.xx.xx", 74609448f2SRahul Maheshwari "Country": "US", 752600f860SRahul Maheshwari "Organization": "ABC Limited", 762600f860SRahul Maheshwari "OrganizationalUnit": "IT", 77609448f2SRahul Maheshwari "State": "AU", 78609448f2SRahul Maheshwari "KeyPairAlgorithm": "RSA" 79609448f2SRahul Maheshwari} 80609448f2SRahul Maheshwari``` 81609448f2SRahul Maheshwari 82609448f2SRahul Maheshwari2. Generate CSR request using the following Redfish command. 83609448f2SRahul Maheshwari 84609448f2SRahul Maheshwari``` 85609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 86609448f2SRahul Maheshwari{ 872600f860SRahul Maheshwari "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu\neHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2\nZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM\nAkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB\nYjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe\no/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC\nOfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx\nlAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7\nvET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q\nkXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b\nr160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER\nrgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13\nu96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR\nD0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT\n+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg=\n-----END CERTIFICATE REQUEST-----\n", 88609448f2SRahul Maheshwari "CertificateCollection": { 89609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 90609448f2SRahul Maheshwari } 91609448f2SRahul Maheshwari``` 92609448f2SRahul Maheshwari 93265f77c9SGeorge Keishing3. Convert response into .csr file (device.csr) 94609448f2SRahul Maheshwari 95609448f2SRahul Maheshwari``` 96609448f2SRahul Maheshwari$ cat device.csr 97609448f2SRahul Maheshwari-----BEGIN CERTIFICATE REQUEST----- 982600f860SRahul MaheshwariMIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu 992600f860SRahul MaheshwarieHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2 1002600f860SRahul MaheshwariZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM 1012600f860SRahul MaheshwariAkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB 1022600f860SRahul MaheshwariYjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe 1032600f860SRahul Maheshwario/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC 1042600f860SRahul MaheshwariOfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx 1052600f860SRahul MaheshwarilAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7 1062600f860SRahul MaheshwarivET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q 1072600f860SRahul MaheshwarikXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b 1082600f860SRahul Maheshwarir160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER 1092600f860SRahul MaheshwarirgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13 1102600f860SRahul Maheshwariu96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR 1112600f860SRahul MaheshwariD0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT 1122600f860SRahul Maheshwari+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg= 113609448f2SRahul Maheshwari-----END CERTIFICATE REQUEST----- 114609448f2SRahul Maheshwari``` 115609448f2SRahul Maheshwari 116609448f2SRahul Maheshwari**Create CA signed server certificate using CSR request** 117609448f2SRahul Maheshwari 118609448f2SRahul Maheshwari1. Use BMC generated CSR request (device.csr) to generate CA signed certificate (device.crt). 119609448f2SRahul Maheshwari``` 120609448f2SRahul Maheshwariopenssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 121609448f2SRahul Maheshwari``` 1222600f860SRahul MaheshwariNote: You will be prompted to give a password for private key. 123609448f2SRahul Maheshwari 124609448f2SRahul Maheshwari 125609448f2SRahul Maheshwari2. Create JSON file (certificate.json) with the device.crt file created in step 1. 126609448f2SRahul Maheshwari 127609448f2SRahul Maheshwari``` 128609448f2SRahul Maheshwari$ cat certificate.json 129609448f2SRahul Maheshwari{ 1302600f860SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----", 131609448f2SRahul Maheshwari "CertificateType": "PEM", 132609448f2SRahul Maheshwari "CertificateUri": 133609448f2SRahul Maheshwari { 134609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 135609448f2SRahul Maheshwari } 136609448f2SRahul Maheshwari} 137609448f2SRahul Maheshwari``` 138609448f2SRahul Maheshwari 139609448f2SRahul Maheshwari 140609448f2SRahul Maheshwari**Install CA signed server certificate** 141609448f2SRahul Maheshwari 142609448f2SRahul MaheshwariReplace server certificate using JSON file (above) with CA signed certificate details (certificate.json). 143609448f2SRahul Maheshwari 144609448f2SRahul Maheshwari``` 145609448f2SRahul Maheshwari$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 146609448f2SRahul Maheshwari{ 147609448f2SRahul Maheshwari "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 148609448f2SRahul Maheshwari "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", 149609448f2SRahul Maheshwari "@odata.type": "#Certificate.v1_0_0.Certificate", 1502600f860SRahul Maheshwari "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----\n", 151609448f2SRahul Maheshwari "Description": "HTTPS certificate", 152609448f2SRahul Maheshwari "Id": "1", 153609448f2SRahul Maheshwari "Issuer": { 1542600f860SRahul Maheshwari "City": "Portland", 1552600f860SRahul Maheshwari "CommonName": "XYZ CERTIFICATE AUTHORITY", 1562600f860SRahul Maheshwari "Country": "US", 1572600f860SRahul Maheshwari "Organization": "XYZ", 158609448f2SRahul Maheshwari "OrganizationalUnit": "IT", 1592600f860SRahul Maheshwari "State": "Oregon" 160609448f2SRahul Maheshwari }, 161609448f2SRahul Maheshwari "KeyUsage": [], 162609448f2SRahul Maheshwari "Name": "HTTPS certificate", 163609448f2SRahul Maheshwari "Subject": { 164609448f2SRahul Maheshwari "City": "Austin", 1652600f860SRahul Maheshwari "CommonName": "xx.xx.xx.xx", 166609448f2SRahul Maheshwari "Country": "US", 1672600f860SRahul Maheshwari "Organization": "ABC Limited", 168609448f2SRahul Maheshwari "State": "AU" 169609448f2SRahul Maheshwari }, 1702600f860SRahul Maheshwari "ValidNotAfter": "2021-01-23T21:13:40+00:00", 1712600f860SRahul Maheshwari "ValidNotBefore": "2019-09-11T21:13:40+00:00" 172609448f2SRahul Maheshwari} 173609448f2SRahul Maheshwari``` 174