1## Steps to create and install CA signed certificate 2 3To create and install a CA signed server certificate, follow these steps: 4 5A. Create your own SSL certificate authority 6 7B. Generate CSR for server certificate 8 9C. Create CA signed server certificate using CSR request 10 11D. Install CA signed server certificate 12 13**Create your own SSL certificate authority** 14 151. Create private key for certificate authority(CA). 16 17`openssl genrsa -des3 -out rootCA.key 2048` 18 19Note: You will be prompted to give a password for private key. This password 20will be used whenever the private key is used. 21 222. Create a root CA certificate using the private key created in step 1. 23 24`openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem` 25 26This will start an interactive script to enter information that will be 27incorporated into your certificate request. 28 29``` 30You are about to be asked to enter information that will be incorporated 31into your certificate request. 32What you are about to enter is what is called a Distinguished Name or a DN. 33There are quite a few fields but you can leave some blank 34For some fields there will be a default value, 35If you enter '.', the field will be left blank. 36----- 37Country Name (2 letter code) [AU]:US 38State or Province Name (full name) [Some-State]:Oregon 39Locality Name (eg, city) []:Portland 40Organization Name (eg, company) [Default Company Ltd]:XYZ 41Organizational Unit Name (eg, section) []:IT 42Common Name (eg, YOUR name) []:XYZ CERTIFICATE AUTHORITY 43Email Address []:none@none.com 44``` 45 46**Generate CSR for server certificate** 47 481. Create CSR request file (csr_file.json) with all of the following fields. 49 50``` 51{ 52 "City": <City Name>, 53 "CertificateCollection": { 54 "@odata.id": "/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/" 55 }, 56 "CommonName": "<BMC_IP>", 57 "Country": <Country Name>, 58 "Organization": <Organization Name>, 59 "OrganizationalUnit": <Organization Unit Name>, 60 "State": <State Name>, 61 "KeyPairAlgorithm": <RSA/EC> 62} 63``` 64 65Example: 66 67``` 68{ 69 "City": "Austin", 70 "CertificateCollection": { 71 "@odata.id": "/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/" 72 }, 73 "CommonName": "xx.xx.xx.xx", 74 "Country": "US", 75 "Organization": "ABC Limited", 76 "OrganizationalUnit": "IT", 77 "State": "AU", 78 "KeyPairAlgorithm": "RSA" 79} 80``` 81 822. Generate CSR request using the following Redfish command. 83 84``` 85$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR/ -d @csr_file.json 86{ 87 "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\nMIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu\neHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2\nZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM\nAkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB\nYjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe\no/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC\nOfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx\nlAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7\nvET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q\nkXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b\nr160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER\nrgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13\nu96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR\nD0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT\n+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg=\n-----END CERTIFICATE REQUEST-----\n", 88 "CertificateCollection": { 89 "@odata.id": "/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/" 90 } 91``` 92 933. Convert response into .csr file (device.csr) 94 95``` 96$ cat device.csr 97-----BEGIN CERTIFICATE REQUEST----- 98MIICyzCCAbMCAQEwgYUxDzANBgNVBAcMBkF1c3RpbjEUMBIGA1UEAwwLeHgueHgu 99eHgueHgxCzAJBgNVBAYTAlVTMQ0wCwYEKw4DAgwDUlNBMR0wGwYDVR0lDBRTZXJ2 100ZXJBdXRoZW50aWNhdGlvbjEUMBIGA1UECgwLQUJDIExpbWl0ZWQxCzAJBgNVBAgM 101AkFVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7+OoXRmAI85W/5pB 102YjC5EdZ/atrPpkIxjT4sXANZLXm6/vkfR/BAxd5s8DYrifPjdfvJRv33cAPT6+pe 103o/t793hdBx7Cwwzqlj3czfdbpvGp90I7BQ1OvKCo/NDmqeTm+5jphYpd8ZvKmBNC 104OfHV0sr3/dMPHME16aunDEHFJz1CzXpG5kSszRYbwcZrXC7rvmSi8UBX8BYoKWzx 105lAGdOYh9j5k/LVNQuKFJjqIfesYJ8fajgsJr8bj81o+bOzvG+zApvt+Ak8B8fqa7 106vET4jb1oeDuSi9D1/Xax+2qx3vInIQOOZz3OCVjxNLZMWOA+P86z59e/6YkXOg/Q 107kXG4uQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAOTLICzJiYerbWa6VyXv/w8b 108r160bNDvIRXJf8E2b5+27NinZb+65WVa6oxE9Ai7UEN+mHkbnDpb2vujp/wuROER 109rgmjstePJST+EqX5PuoSxbPhE0ucHw7dTZf9agfvNLlpgTUo/Lv9A2pCSDa5KZ13 110u96AFsFBjBuanUK2k7aoEc/Rl7JhfxUaXNszzYqDgwIHggYWbZO7Ku7HHbY1qYGR 111D0XaLUyXAxgB76mcud004zu7swTJxDlM+c5+i0yqflWQiVWEAOW9HDeHvnYmShuT 112+HS1vhv+x/9HDHowxiWOt2Th18uzdf+F0446fR8uoIrG1z7KdNoxipUnVKfyXTg= 113-----END CERTIFICATE REQUEST----- 114``` 115 116**Create CA signed server certificate using CSR request** 117 1181. Use BMC generated CSR request (device.csr) to generate CA signed certificate 119 (device.crt). 120 121``` 122openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256 123``` 124 125Note: You will be prompted to give a password for private key. 126 1272. Create JSON file (certificate.json) with the device.crt file created in 128 step 1. 129 130``` 131$ cat certificate.json 132{ 133 "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----", 134 "CertificateType": "PEM", 135 "CertificateUri": 136 { 137 "@odata.id": "/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1" 138 } 139} 140``` 141 142**Install CA signed server certificate** 143 144Replace server certificate using JSON file (above) with CA signed certificate 145details (certificate.json). 146 147``` 148$ curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${BMC_IP}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @certificate.json 149{ 150 "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", 151 "@odata.id": "/redfish/v1/Managers/${MANAGER_ID}/NetworkProtocol/HTTPS/Certificates/1", 152 "@odata.type": "#Certificate.v1_0_0.Certificate", 153 "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDkTCCAnkCCQD7oPxudsyOjTANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMC\nVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9ydGxhbmQxDDAKBgNVBAoM\nA1hZWjELMAkGA1UECwwCSVQxIjAgBgNVBAMMGVhZWiBDRVJUSUZJQ0FURSBBVVRI\nT1JJVFkxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5jb20wHhcNMTkwOTEyMDkx\nMzQwWhcNMjEwMTI0MDkxMzQwWjCBhTEPMA0GA1UEBwwGQXVzdGluMRQwEgYDVQQD\nDAt4eC54eC54eC54eDELMAkGA1UEBhMCVVMxDTALBgQrDgMCDANSU0ExHTAbBgNV\nHSUMFFNlcnZlckF1dGhlbnRpY2F0aW9uMRQwEgYDVQQKDAtBQkMgTGltaXRlZDEL\nMAkGA1UECAwCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv46hd\nGYAjzlb/mkFiMLkR1n9q2s+mQjGNPixcA1ktebr++R9H8EDF3mzwNiuJ8+N1+8lG\n/fdwA9Pr6l6j+3v3eF0HHsLDDOqWPdzN91um8an3QjsFDU68oKj80Oap5Ob7mOmF\nil3xm8qYE0I58dXSyvf90w8cwTXpq6cMQcUnPULNekbmRKzNFhvBxmtcLuu+ZKLx\nQFfwFigpbPGUAZ05iH2PmT8tU1C4oUmOoh96xgnx9qOCwmvxuPzWj5s7O8b7MCm+\n34CTwHx+pru8RPiNvWh4O5KL0PX9drH7arHe8ichA45nPc4JWPE0tkxY4D4/zrPn\n17/piRc6D9CRcbi5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ+xLxyfBBpRXov/\noRVMyJSWRSSITfzvcZVMcbDXAWR591rdYPNmpmpuDSdtynIvJe33H9FyXRI1UMnw\n5BYpJrVjxxyEvIyoxbJSkLxjkO6TUJNI2w7wBJeUDpwdYWuwmUc6UfO5c5LGSb4z\nzbvfEdSsW+3pHuFopuhU8d/SR14rjZiGpU2MBF+/yEyUXmQ5jIU69UwvIvbch0Zy\naquTL4O3aL1Lc9ACVUsQ7mTUS+niduIsZLvvI+OWMShRo8CEUJl9BKijQJhwvUVf\nUBNa1pVzonLxdt3eRTv93X4cu5ole6wO2DA19PWnlt/16XYw61/5naYckslQTRdc\nGvsIpb0=\n-----END CERTIFICATE-----\n", 154 "Description": "HTTPS certificate", 155 "Id": "1", 156 "Issuer": { 157 "City": "Portland", 158 "CommonName": "XYZ CERTIFICATE AUTHORITY", 159 "Country": "US", 160 "Organization": "XYZ", 161 "OrganizationalUnit": "IT", 162 "State": "Oregon" 163 }, 164 "KeyUsage": [], 165 "Name": "HTTPS certificate", 166 "Subject": { 167 "City": "Austin", 168 "CommonName": "xx.xx.xx.xx", 169 "Country": "US", 170 "Organization": "ABC Limited", 171 "State": "AU" 172 }, 173 "ValidNotAfter": "2021-01-23T21:13:40+00:00", 174 "ValidNotBefore": "2019-09-11T21:13:40+00:00" 175} 176``` 177