1# BMC Certificate management 2 3## Overview 4 5Certificate management allows to replace the existing certificate and private 6key file with another (possibly certification Authority (CA) signed) certificate 7and private key file. Certificate management allows the user to install both the 8server and client certificates. The REST interface allows to update the 9certificate, using an unencrypted certificate and private key file in .pem 10format, which includes both private key and signed certificate. 11 12### Signed Certificate upload Design flow(Pre-generated) 13 14- The REST Server copies the certificate and private key file to a temporary 15 location. 16- REST server should map the URI to the target DBus application (Certs) object. 17 The recommendation for the D-Bus application implementing certificate D-Bus 18 objects is to use the same path structure as the REST endpoint. e.g.: 19 - The URI /xyz/openbmc_project/certs/server/https maps to instance of the 20 certificate application handling Https server certificate. 21 - The URI /xyz/openbmc_project/certs/client/ldap maps to instance of the 22 certificate application handling LDAP client certificate. 23 - The URI /xyz/openbmc_project/certs/authority/truststore maps to instance of 24 the certificate application handling Certificate Authority certificates. 25- REST server should call the install method of the certificate application 26 instance. 27- Certificate manager application also implements d-bus object 28 xyz.openbmc_project.Certs.Manager. This includes the collection of 29 "certificates specific d-bus objects" installed in the system. This d-bus 30 provide option to view the certificate on PEM format and delete the same. 31 Refer [Wikipedia][privacy-enhanced-mail] for details. 32- Applications should subscribe the xyz.openbmc_project.Certs.Manager to see any 33 new certificate is uploaded or change in the existing certificates. 34- Certificate manager scope is limited to manage the certificate and impacted 35 application is responsible for application specific changes. 36- In case of delete action, certificate manager creates a new self signed 37 certificate after successful delete (regards only server type certificates) 38 39[privacy-enhanced-mail]: https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail 40 41### REST interface 42 43```plain 44url: /xyz/openbmc_project/certs/server/https 45Description: Update https server signed certificate and the private key. 46Method: PUT 47 48url: /xyz/openbmc_project/certs/server/https/<cert_id> 49Description: Delete https server signed certificate and the private key. 50Method: DELETE 51 52url: /xyz/openbmc_project/certs/client/ldap 53Description: Update ldap client certificate and the private key. 54Method: PUT 55 56url: /xyz/openbmc_project/certs/client/ldap/<cert_id> 57Description: Delete ldap client certificate and the private key. 58Method: DELETE 59 60Return codes 61 62 200 Success 63 400 Invalid certificate and private key file. 64 405 Method not supported. 65 500 Internal server error 66 67``` 68 69## CSR 70 71### User flow for generating and installing Certificates(CSR Based) 72 73[Certificate Signing Request][csr](CSR) is a message sent from an applicant to a 74certitificate authority in order to apply for a digital identity certificate. 75This section provides the details of the CSR based certificate user flow. 76 77- The user performs the CSR/create interface BMC creates new private key and CSR 78 object which includes CSR information. 79- The user performs the CSR/export interface Allows the user to export the CSR 80 file which is part of newly created CSR object. This can be provided to the CA 81 to create SSL certificate. 82- The user perform the certificate upload on appropriate services. Example: if 83 trying to replace the HTTPS certificate for a Manager, navigate to the 84 Manager’s Certificate object upload interface. The Upload method internally 85 pairs the private key used in the first step with the installed certificate. 86 87[csr]: https://en.wikipedia.org/wiki/Certificate_signing_request 88 89### Assumptions 90 91- BMC updates the private key associated to CSR for any new CSR request. 92- BMC upload process automatically appends certificate file with system CSR 93 private key, for the service which requirs certificate and key. 94- CSR based Certificate validation is alway's based on private key in the 95 system. 96 97### CSR Request 98 99- CSR requests initiated through D-Bus are time-consuming and might result D-Bus 100 time-out error. 101- To overcome the time-out error, parent process is forked and CSR operation is 102 performed in the child process so that parent process can return the calling 103 thread immediately. 104- OpenSSL library is used in generating CSR based on the algorithm type. 105- At present supporting generating CSR for only "RSA" algorithm type. 106- Parent process registers child process PID and a callback method in the 107 sd_event_lopp so that callback method is invoked upon completion the CSR 108 request in the child process. 109- Callback method invoked creates a CSR object with the status of the CSR 110 operation returned from the child process. 111- CSR read operation will return the CSR string if status is SUCCESS else throws 112 InternalFailure exception to the caller. 113- Certificate Manager implements "/xyz/openbmc_project/Certs/CSR/Create" 114 interface. 115- CSR object created implements "/xyz/openbmc_project/Certs/CSR" interface. 116- Caller needs to validate the CSR request parameters. 117- Caller need to wait on "InterfacesAdded" signal generated upon creation of the 118 CSR object to start reading CSR string. 119 120### Example usage for the GenerateCSR POST request 121 122```yaml 123url: /redfish/v1/CertificateService 124Action: #CertificateService.GenerateCSR { 125 "City": "HYB", 126 "CertificateCollection": 127 "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/", 128 "CommonName": "www.company.com", 129 "ContactPerson":"myname", 130 "AlternativeNames":["mycompany.com","mycompany2.com"], 131 "ChallengePassword":"abc123", 132 "Email":"xxx@xx.com", 133 "GivenName":"localhost", 134 "Initials":"G", 135 "Country": "IN", 136 "KeyCurveId":"0", 137 "KeyUsage":["ServerAuthentication","ServerAuthentication"], 138 "KeyBitLength": 2048, 139 "KeyPairAlgorithm": "RSA", 140 "Organization": "ABCD", 141 "OrganizationUnit": "XY", 142 "State": "TX", 143 "SurName": "XX", 144 "UnstructuredName": "xxx" 145} 146Description: This is used to perform a certificate signing request. 147Method: POST 148 149``` 150 151### Additional interfaces 152 153- CertificateService.ReplaceCertificate Allows the user to replace an existing 154 certificate. 155 156### d-bus interfaces 157 158#### d-bus interface to install certificate and private Key 159 160- Certs application must: 161 - validate the certificate and Private key file by checking, if the Private 162 key matches the public key in the certificate file. 163 - copy the certificate and Public Key file to the service specific path based 164 on a configuration file. 165 - Reload the listed service(s) for which the certificate is updated. 166 167#### d-bus interface to Delete certificate and Private Key 168 169- certificate manager should provide interface to delete the existing 170 certificate. 171- Incase of server type certificate deleting a signed certificate will create a 172 new self signed certificate and will install the same. 173 174### Boot process 175 176- certificate management instances should be created based on the system 177 configuration. 178 179- Incase of no Https certificate or invalid Https certificate, certificate 180 manager should update the https certificate with self signed certificate. 181 182### Repository 183 184phosphor-certificate-manager 185 186### Redfish Certificate Support 187 188#### Certificate Upload 189 190- Certificate Manager implements "xyz.openbmc_project.Certs.Install" interface 191 for installing certificates in the system. 192- Redfish initiates certificate upload by issuing a POST request on the Redfish 193 CertificateCollection with the certificate file. Acceptable body formats are: 194 raw pem text or json that is acceptable by action 195 [CertificateService.ReplaceCertificate](https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2019.1.pdf) 196 197 For example the HTTPS certificate upload POST request is issued on URI 198 "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates" 199 200- Bmcweb receives the POST request and it maps the Redfish URI to the 201 corresponding Certificate Manager D-Bus URI. e.g: HTTPS certificate collection 202 URI /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates mapped to 203 /xyz/openbmc_project/certs/server/https. 204- Bmcweb initiates an asynchronous call which invokes the "Install" method of 205 the Certificate Manager. 206- Certificate Manager "Install" method validates, installs the certificate file 207 and creates a Certificate object. 208- Certificate Manager initiates Reload of the Bmcweb service to trigger 209 configuration reload. 210- BMCweb service raises SIGHUP signal as part of Reload. 211- Bmcweb application handles the SIGHUP signal and reloads the SSL context with 212 the installed certificate. 213- Bmcweb invokes the Callback method with the status of the "Install" method 214 received from the Certificate Manager. 215- Callback method set the response message with error details for failure, sets 216 the response message with newly created certificate details for success. 217- Certificate object D-Bus path mapped to corresponding Redfish certificate URI. 218 e.g: /xyz/openbmc_project/certs/server/https/1 is mapped to 219 /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 ID of the 220 certificate is appended to the collection URI. 221 222#### Certificate Replace 223 224- Certificate Object implements "xyz.openbmc_project.Certs.Replace" interface to 225 for replacing existing certificate. 226- Redfish issues Replace certificate request by invoking the ReplaceCertificate 227 action of the CertificateService. 228- Redfish Certificate Collection URI is mapped to corresponding Certificate 229 D-Bus object URI e.g: HTTPS certificate object 1 URI 230 /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 is mapped to 231 /xyz/openbmc_project/certs/server/https/1. 232- Bmcweb receives POST request for Replace Certificate, invokes the Replace 233 D-Bus method of the Certificate object asynchronously. 234- Callback method will be passed to the bmcweb asynchronous method which will 235 called after completion of the D-Bus Replace method. 236- Callback method checks the response received, if failure response message is 237 set with error details, if success response message is set with the replaced 238 certificate details. 239 240#### Bootup 241 242- During bootup certificate objects created for the existing certificates. 243 244### Errors thrown by Certificate Manager 245 246- NotAllowed exception thrown if Install method invoked with a certificate 247 already existing. At present only one certificate per server and client 248 certificate type is allowed. 249- InvalidCertificate excption thrown for validation errors. 250 251#### Certificate Deletion 252 253- For server and client certificate type the certificate deletion is not 254 allowed. In case of authority certificate type the delete option is acceptable 255 and can be done on individial certificates, for example: 256 257```plain 258url: redfish/v1/Managers/bmc/Truststore/Certificates/1 259Method: DELETE 260 261Returns: code 204 with empty body content. 262``` 263