Certificate management actions—such as retrieving certificate information or performing atomic certificate replacement—are accessible through the CertificateService resource.
The CertificateLocations resource provides an inventory of all certificates managed by the service.
For additional details, refer to the Redfish Certificate Management White Paper.
Common Certificate Management Commands
Getting Certificate Locations
Inventory of all certificates the service is managing.
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/CertificateService/CertificateLocations
Root CA Management Commands
List Root CA
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates
Getting Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/<number>
Installing Root CA Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json
Replacing Existing Root CA Certificate
curl -k -u root:'<password>' -X PATCH https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates/1 -d @rootca.json
Root CA Certificate Creation and Replacement
-
Generate Root CA certificate:
cat > root-ca.cnf << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = <country> ST = <state> L = <location> O = OpenBMC OU = bmcweb CN = <common_name> [v3_req] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash EOF # Generate root CA key openssl genrsa -out root-ca-key.pem <key_size> # Generate root CA certificate openssl req -x509 -new -nodes \ -key root-ca-key.pem \ -sha256 -days <validity_days> \ -out root-ca-cert.pem \ -config root-ca.cnf \ -extensions v3_req -
Create a JSON file for the root CA certificate add
{ "CertificateString": "<cert_string>", "CertificateType": "PEM" } -
Install the root CA certificate (can have more then 1).
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/Truststore/Certificates -d @rootca.json
Server Certificate Management Commands
Getting Certificate Information
curl -k -u root:'<password>' -X GET https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1
Replacing Existing Certificate
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.json
Generating CSR
Generate certificate signing request (CSR):
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json
Installing Certificate
curl -k -u root:'<password>' -H "Content-Type: application/octet-stream" -X POST https://<bmc_ip>/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates -d @certificate.json
Example for CSR Generation, Certificate Creation and Replacement
-
Configure your CA to include at least the following extensions for the signed TLS server certificates:
basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = IP:192.168.240.1The extension
subjectAltName=IP:192.168.240.1is mandatory. -
Create a JSON containing the subject data for the BlueField BMC to use when creating the CSR. For example:
{ "City": "<city>", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" }, "CommonName": "bmc0123456789.mycompany.com", "Country": "<country>", "Organization": "<company_name>", "OrganizationalUnit": "<my_org>", "State": "<state>", "KeyPairAlgorithm": "EC" } -
Generate a certificate signing request using the Redfish Certificate Management#forth command in the table above and the JSON file created in the previous step:
The BMC replies with a JSON containing the CSR.
curl -k -u root:'<password>' -H "Content-Type: application/json" -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR -d @csr_file.json { "CSRString": "-----BEGIN CERTIFICATE REQUEST-----\<CSR_DATA>\n-----END CERTIFICATE REQUEST-----\n", "CertificateCollection": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/" } } -
Extract the CSR string from the JSON and sign the CSR using your CA. For example, this is how to include the required extensions to the signed TLS server certificates:
openssl x509 -req -in bmc.csr -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -out bmc.crt -days 3650 -sha384 -extfile exfile.txtWhere:
-
bmc.csrcontains the CSR string from the previous step -
CA-cert.pemcontains the CA certificate to be used to sign the CSR -
CA-key.pemcontains the CA private key -
extfile.txtcontains the extensions mentioned in the first step (basicConstraints,keyUsage, andsubjectAltName) -
bmc.crtis the output file which will contain the BMC certificate signed by the CA
-
-
Create a JSON file for the BlueField BMC signed TLS server certificate data:
{ "CertificateString": "-----BEGIN CERTIFICATE-----\n<bmc.crt-data>\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/Bluefield_BMC/NetworkProtocol/HTTPS/Certificates/1" } } -
Replace the BMC certificate using the Redfish Certificate Management#third command in the table above and the JSON created in the previous step.
curl -k -u root:'<password>' -X POST https://<bmc_ip>/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate -d @certificate.j
Last updated: