diff options
Diffstat (limited to 'xyz/openbmc_project/Certs/README.md')
-rw-r--r-- | xyz/openbmc_project/Certs/README.md | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md new file mode 100644 index 0000000..ad9a228 --- /dev/null +++ b/xyz/openbmc_project/Certs/README.md @@ -0,0 +1,79 @@ +# BMC Certificate management + +Certificate management allows to replace the existing certificate and private +key file with another (possibly certification Authority (CA) signed) +certificate and private key file. Certificate management allows the user to +install both the server and client certificates. The REST interface allows to +update the certificate, using an unencrypted certificate and private key file +in .pem format, which includes both private key and signed certificate. + +### Signed Certificate upload Design flow: + +- The REST Server copies the certificate and private key file to a temporary + location. +- REST server should map the URI to the target DBus application (Certs) object. + The recommendation for the D-Bus application implementing certificate D-Bus + objects is to use the same path structure as the REST endpoint. + e.g.: + - The URI /xyz/openbmc_project/certs/Server/Https maps to instance + of the certificate application handling Https server certificate. + - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance + of the certificate application handling LDAP client certificate. +- REST server should call the install method of the certificate application + instance. + +### REST interface details: + + ``` + url: /xyz/openbmc_project/certs/Server/Https + Description: Update https server signed certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Server/Https + Description: Delete https server signed certificate and the private key. + Method: DELETE + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Update ldap client certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Delete ldap client certificate and the private key. + Method: DELETE + + Return codes + + 200 Success + 400 Invalid certificate and private key file. + 405 Method not supported. + 500 Internal server error + + ``` + + +### d-bus interfaces: + +#### d-bus interface to install certificate and private Key +- Certs application must: + - validate the certificate and Private key file by checking, if the Private + key matches the public key in the certificate file. + - copy the certificate and Public Key file to the service specific path + based on a configuration file. + - Reload the listed service(s) for which the certificate is updated. + +#### d-bus interface to Delete certificate and Private Key + +- certificate manager should provide interface to delete the existing + certificate. +- Incase of server type certificate deleting a signed certificate will + create a new self signed certificate and will install the same. + +### Boot process +- certificate management instances should be created based on the system + configuration. + +- Incase of no Https certificate or invalid Https certificate, certificate + manager should update the https certificate with self signed certificate. + +### Repository: + phosphor-certificate-manager |