1## Steps to create and install CA signed certificate 2 3To create and install a CA signed server certificate, follow these steps: 4 5A. Create your own SSL certificate authority 6B. Generate CSR for server certificate 7C. Create CA signed server certificate using CSR request 8D. Install CA signed server certificate 9 10**Create your own SSL certificate authority** 11 121. Create private key for certificate authority(CA). 13 14 15```openssl genrsa -des3 -out rootCA.key 2048``` 16 17Note: You will be prompted to give a password for private key. This password will be used whenever the private key is used. 18 19 202. Create a root CA certificate using the private key created in step 1. 21 22```openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem``` 23 24This will start an interactive script to enter information that will be incorporated into your certificate request. 25 26``` 27You are about to be asked to enter information that will be incorporated 28into your certificate request. 29What you are about to enter is what is called a Distinguished Name or a DN. 30There are quite a few fields but you can leave some blank 31For some fields there will be a default value, 32If you enter '.', the field will be left blank. 33----- 34Country Name (2 letter code) [AU]:US 35State or Province Name (full name) [Some-State]:Oregon 36Locality Name (eg, city) []:Portland 37Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords 38Organizational Unit Name (eg, section) []:IT 39Common Name (eg, YOUR name) []:Data Center Overlords 40Email Address []:none@none.com 41``` 42 43**Generate CSR for server certificate** 44 451. Create CSR request file (csr_file.json) with all of the following fields. 46 47``` 48{ 49 "City": <City Name>, 50 "CertificateCollection": { 51 "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 52 }, 53 "CommonName": "<BMC_IP>", 54 "Country": <Country Name>, 55 "Organization": <Organization Name>, 56 "OrganizationalUnit": <Organization Unit Name>, 57 "State": <State Name>, 58 "KeyPairAlgorithm": <RSA/EC> 59} 60``` 61 62Example: 63``` 64{ 65 "City": "Austin", 66 "CertificateCollection": { 67 "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 68 }, 69 "CommonName": "9.3.111.222", 70 "Country": "US", 71 "Organization": "IBM", 72 "OrganizationalUnit": "ISL", 73 "State": "AU", 74 "KeyPairAlgorithm": "RSA" 75} 76``` 77 782. Generate CSR request using the following Redfish command. 79 80``` 81$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 82{ 83 "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli\nbS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEA wwJOS4zLjIxLjU1MQ8wDQYD\nVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P\nDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBA oMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq\nhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f\n4E8Cy3FdO/j3HlrlKxJ ijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI\nhvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx\ne8Xqddi9 iG7FcnULE9VLzhpr86UTZV4393+s\n-----END CERTIFICATE REQUEST-----\n", 84 "CertificateCollection": { 85 "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/" 86 } 87} 88``` 89 903. Convert response into .csr file (device.csr) 91 92``` 93$ cat device.csr 94-----BEGIN CERTIFICATE REQUEST----- 95MIIBZzCCARECAQEwgasxJTAjBgNVHREMHHdzYm1jMDE1LmF1cy5zdGdsYWJzLmli 96bS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UEAwwJOS4zLjIxLjU1MQ8wDQYD 97VQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMRUwEwYDVR0P 98DAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTELMAkGA1UECAwCQVUwXDANBgkq 99hkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobpT646Ssn7QmcxLeoWnCIulyP3hKR2f 1004E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipUcknj4QIDAQABoAAwDQYJKoZI 101hvcNAQELBQADQQBcKCRdSZxqKoH7h4uta27Qchna88ljrJwX3PLqNES5nyCUaacx 102e8Xqddi9iG7FcnULE9VLzhpr86UTZV4393+s 103-----END CERTIFICATE REQUEST----- 104``` 105 106**Create CA signed server certificate using CSR request** 107 1081. Use BMC generated CSR request (device.csr) to generate CA signed certificate (device.crt). 109``` 110openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 111``` 112 113 1142. Create JSON file (certificate.json) with the device.crt file created in step 1. 115 116``` 117$ cat certificate.json 118{ 119 "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 120 "CertificateType": "PEM", 121 "CertificateUri": 122 { 123 "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" 124 } 125} 126``` 127 128 129**Install CA signed server certificate** 130 131Replace server certificate using JSON file (above) with CA signed certificate details (certificate.json). 132 133``` 134$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 135{ 136 "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 137 "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", 138 "@odata.type": "#Certificate.v1_0_0.Certificate", 139 "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIC+TCCAeECCQCk+dNJDXfI1jANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMC\nSU4xDjAMBgNVBAgMBURFTEhJMQ4wDAYDVQQHD AVERUxISTEeMBwGA1UECgwVQ0VS\nVElGSUNBVEUgQVVUSE9SSVRZMQswCQYDVQQLDAJJVDEeMBwGA1UEAwwVRGF0YSBD\nZW50ZXIgT3ZlcmxvcmRzMRwwGg YJKoZIhvcNAQkBFg1ub25lQG5vbmUuY29tMB4X\nDTE5MDYyNzExMTczNloXDTIwMTEwODExMTczNlowgasxJTAjBgNVHREMHHdzYm1j\nMDE1LmF1cy5zdGd sYWJzLmlibS5jb20xDzANBgNVBAcMBkF1c3RpbjESMBAGA1UE\nAwwJOS4zLjIxLjU1MQ8wDQYDVQQpDAZteW5hbWUxCzAJBgNVBAYTAlVTMQ0wCwYE\nKw4D AgwDUlNBMRUwEwYDVR0PDAxLZXlBZ3JlZW1lbnQxDDAKBgNVBAoMA0lCTTEL\nMAkGA1UECAwCQVUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwY9eVEdOobp T646S\nsn7QmcxLeoWnCIulyP3hKR2f4E8Cy3FdO/j3HlrlKxJijB8eBDmdB0zR8CnVUipU\ncknj4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAcYmkbcznF fOm9bDuIeXHzNSus\nEwOhAberTXWvPMtjbDTmbVH5dRPU+DmgS+LEl2jhYC414R89EUApjrXmk1PzlBrN\nXEnBf9+OHOHOH7H4AIni3diw9PRzEdW5ENHUi OIVoq7LxWP+RknSHGl8AfOghX/3\n6eRgtpIp+fTYwJkGdZaKb9cI5XXk0Eh1cZZ3W43PNsKbuv1BGLGjJVRRaswF9nb1\ng2M4iZLtVXltdkyHW/Z6TUWvG+ 9+TYuKingixv0toaWyRGexjC1CeRORGhyYW8Dz\niGipRCWmVo97MC5sWtQjVAshB1TY6rUqipxzW9SqyjplBD+AHySY/IqGM+wU\n-----END CERTIFICATE-----\n", 140 "Description": "HTTPS certificate", 141 "Id": "1", 142 "Issuer": { 143 "City": "DELHI", 144 "CommonName": "Data Center Overlords", 145 "Country": "IN", 146 "Organization": "CERTIFICATE AUTHORITY", 147 "OrganizationalUnit": "IT", 148 "State": "DELHI" 149 }, 150 "KeyUsage": [], 151 "Name": "HTTPS certificate", 152 "Subject": { 153 "City": "Austin", 154 "CommonName": "9.3.111.222", 155 "Country": "US", 156 "Organization": "IBM", 157 "State": "AU" 158 }, 159 "ValidNotAfter": "2020-11-07T23:17:36+00:00", 160 "ValidNotBefore": "2019-06-26T23:17:36+00:00" 161} 162``` 163