1# phosphor-certificate-manager
2
3Certificate management allows to replace the existing certificate and private
4key file with another (possibly CA signed) Certificate key file. Certificate
5management allows the user to install both the server and client certificates.
6
7## To Build
8
9This project can be built with `meson`. The typical `meson` workflow is:
10`meson builddir && ninja -C builddir`.
11
12## To Run
13
14Multiple instances of `phosphor-certificate-manager` are usually run on the bmc
15to support management of different types of certificates.
16
17```text
18Usage: ./phosphor-certificate-manager [options]
19Options:
20    --help            Print this menu
21    --type            certificate type
22                      Valid types: client,server,authority
23    --endpoint        d-bus endpoint
24    --path            certificate file path
25    --unit=<name>     Optional systemd unit need to reload
26```
27
28### Https certificate management
29
30**Purpose:** Server https certificate
31
32```bash
33./phosphor-certificate-manager --type=server --endpoint=https \
34    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
35```
36
37### CA certificate management
38
39**Purpose:** Client certificate validation
40
41```bash
42./phosphor-certificate-manager --type=authority --endpoint=ldap \
43    --path=/etc/ssl/certs/authority --unit=bmcweb.service
44```
45
46### LDAP client certificate management
47
48**Purpose:** LDAP client certificate validation
49
50```bash
51./phosphor-certificate-manager --type=client --endpoint=ldap \
52    --path=/etc/nslcd/certs/cert.pem
53```
54
55## D-Bus Interface
56
57`phosphor-certificate-manager` is an implementation of the D-Bus interface
58defined in
59[this document](https://github.com/openbmc/phosphor-dbus-interfaces/blob/a3d0c212a1e734a77fbaf11c7561c59e59d514da/xyz/openbmc_project/Certs/README.md).
60
61D-Bus service name is constructed by
62"xyz.openbmc_project.Certs.Manager.{Type}.{Endpoint}" and D-Bus object path is
63constructed by "/xyz/openbmc_project/certs/{type}/{endpoint}".
64
65Take https certificate management as an example.
66
67```bash
68./phosphor-certificate-manager --type=server --endpoint=https \
69    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service
70```
71
72D-Bus service name is "xyz.openbmc_project.Certs.Manager.Server.Https" and D-Bus
73object path is "/xyz/openbmc_project/certs/server/https".
74
75## Usage in openbmc/bmcweb
76
77OpenBMC [bmcweb](https://github.com/openbmc/bmcweb) exposes various
78[REST APIs](https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/certificate_service.hpp)
79for certificate management on the BMC, which leverages functionalities of
80`phosphor-certificate-manager` via D-Bus.
81