1# phosphor-certificate-manager
2Certificate management allows to replace the existing certificate and private
3key file with another (possibly CA signed) Certificate key file. Certificate
4management allows the user to install both the server and client certificates.
5
6## To Build
7```
8To build this package, do the following steps:
9
10    1. ./bootstrap.sh
11    2. ./configure ${CONFIGURE_FLAGS}
12    3. make
13
14To clean the repository run `./bootstrap.sh clean`.
15```
16
17## To Run
18Multiple instances of `phosphor-certificate-manager` are usually run on the bmc
19to support management of different types of certificates.
20```
21Usage: ./phosphor-certificate-manager [options]
22Options:
23    --help            Print this menu
24    --type            certificate type
25                      Valid types: client,server,authority
26    --endpoint        d-bus endpoint
27    --path            certificate file path
28    --unit=<name>     Optional systemd unit need to reload
29```
30
31### Https certificate management
32**Purpose:** Server https certificate
33```bash
34./phosphor-certificate-manager --type=server --endpoint=https \
35    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
36```
37
38### CA certificate management
39**Purpose:** Client certificate validation
40```bash
41./phosphor-certificate-manager --type=authority --endpoint=ldap \
42    --path=/etc/ssl/certs/authority --unit=bmcweb.service
43```
44
45### LDAP client certificate management
46**Purpose:** LDAP client certificate validation
47```bash
48./phosphor-certificate-manager --type=client --endpoint=ldap \
49    --path=/etc/nslcd/certs/cert.pem
50```
51
52## D-Bus Interface
53`phosphor-certificate-manager` is an implementation of the D-Bus interface
54defined in [this document](https://github.com/openbmc/phosphor-dbus-interfaces/blob/a3d0c212a1e734a77fbaf11c7561c59e59d514da/xyz/openbmc_project/Certs/README.md).
55
56D-Bus service name is constructed by
57"xyz.openbmc_project.Certs.Manager.{Type}.{Endpoint}"
58and D-Bus object path is constructed by
59"/xyz/openbmc_project/certs/{type}/{endpoint}".
60
61Take https certificate management as an example.
62```bash
63./phosphor-certificate-manager --type=server --endpoint=https \
64    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
65```
66D-Bus service name is "xyz.openbmc_project.Certs.Manager.Server.Https" and
67D-Bus object path is "/xyz/openbmc_project/certs/server/https".
68
69## Usage in openbmc/bmcweb
70OpenBMC [bmcweb](https://github.com/openbmc/bmcweb) exposes various [REST APIs](https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/certificate_service.hpp)
71for certificate management on the BMC, which leverages functionalities of
72`phosphor-certificate-manager` via D-Bus.
73
74