summaryrefslogtreecommitdiffstats
path: root/xyz
diff options
context:
space:
mode:
Diffstat (limited to 'xyz')
-rw-r--r--xyz/openbmc_project/Certs/Install.errors.yaml3
-rw-r--r--xyz/openbmc_project/Certs/Install.interface.yaml16
-rw-r--r--xyz/openbmc_project/Certs/Install.metadata.yaml4
-rw-r--r--xyz/openbmc_project/Certs/README.md79
4 files changed, 102 insertions, 0 deletions
diff --git a/xyz/openbmc_project/Certs/Install.errors.yaml b/xyz/openbmc_project/Certs/Install.errors.yaml
new file mode 100644
index 0000000..5381de0
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.errors.yaml
@@ -0,0 +1,3 @@
+# xyz.openbmc_project.Certs.Install.Error.InvalidCertificate
+ - name: InvalidCertificate
+ description: Invalid certificate file.
diff --git a/xyz/openbmc_project/Certs/Install.interface.yaml b/xyz/openbmc_project/Certs/Install.interface.yaml
new file mode 100644
index 0000000..8781834
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.interface.yaml
@@ -0,0 +1,16 @@
+description: >
+ Certificate management interface to install server and client certificates.
+methods:
+ - name: Install
+ description: >
+ Install the certificate and restart the associated services.
+ parameters:
+ - name: Path
+ type: string
+ description: >
+ Path of file that contains both the certificate public and
+ private key. (Example: a .PEM file containing both signed
+ certificate and private key).
+ errors:
+ - xyz.openbmc_project.Common.Error.InternalFailure
+ - xyz.openbmc_project.Certs.Install.Error.InvalidCertificate
diff --git a/xyz/openbmc_project/Certs/Install.metadata.yaml b/xyz/openbmc_project/Certs/Install.metadata.yaml
new file mode 100644
index 0000000..1d36c14
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.metadata.yaml
@@ -0,0 +1,4 @@
+- name: InvalidCertificate
+ meta:
+ - str: "REASON = %s"
+ type: string
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md
new file mode 100644
index 0000000..ad9a228
--- /dev/null
+++ b/xyz/openbmc_project/Certs/README.md
@@ -0,0 +1,79 @@
+# BMC Certificate management
+
+Certificate management allows to replace the existing certificate and private
+key file with another (possibly certification Authority (CA) signed)
+certificate and private key file. Certificate management allows the user to
+install both the server and client certificates. The REST interface allows to
+update the certificate, using an unencrypted certificate and private key file
+in .pem format, which includes both private key and signed certificate.
+
+### Signed Certificate upload Design flow:
+
+- The REST Server copies the certificate and private key file to a temporary
+ location.
+- REST server should map the URI to the target DBus application (Certs) object.
+ The recommendation for the D-Bus application implementing certificate D-Bus
+ objects is to use the same path structure as the REST endpoint.
+ e.g.:
+ - The URI /xyz/openbmc_project/certs/Server/Https maps to instance
+ of the certificate application handling Https server certificate.
+ - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance
+ of the certificate application handling LDAP client certificate.
+- REST server should call the install method of the certificate application
+ instance.
+
+### REST interface details:
+
+ ```
+ url: /xyz/openbmc_project/certs/Server/Https
+ Description: Update https server signed certificate and the private key.
+ Method: PUT
+
+ url: /xyz/openbmc_project/certs/Server/Https
+ Description: Delete https server signed certificate and the private key.
+ Method: DELETE
+
+ url: /xyz/openbmc_project/certs/Client/LDAP
+ Description: Update ldap client certificate and the private key.
+ Method: PUT
+
+ url: /xyz/openbmc_project/certs/Client/LDAP
+ Description: Delete ldap client certificate and the private key.
+ Method: DELETE
+
+ Return codes
+
+ 200 Success
+ 400 Invalid certificate and private key file.
+ 405 Method not supported.
+ 500 Internal server error
+
+ ```
+
+
+### d-bus interfaces:
+
+#### d-bus interface to install certificate and private Key
+- Certs application must:
+ - validate the certificate and Private key file by checking, if the Private
+ key matches the public key in the certificate file.
+ - copy the certificate and Public Key file to the service specific path
+ based on a configuration file.
+ - Reload the listed service(s) for which the certificate is updated.
+
+#### d-bus interface to Delete certificate and Private Key
+
+- certificate manager should provide interface to delete the existing
+ certificate.
+- Incase of server type certificate deleting a signed certificate will
+ create a new self signed certificate and will install the same.
+
+### Boot process
+- certificate management instances should be created based on the system
+ configuration.
+
+- Incase of no Https certificate or invalid Https certificate, certificate
+ manager should update the https certificate with self signed certificate.
+
+### Repository:
+ phosphor-certificate-manager
OpenPOWER on IntegriCloud