blob: ad9a2281f00c982ee442072d423ef5da5eb939a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
# BMC Certificate management
Certificate management allows to replace the existing certificate and private
key file with another (possibly certification Authority (CA) signed)
certificate and private key file. Certificate management allows the user to
install both the server and client certificates. The REST interface allows to
update the certificate, using an unencrypted certificate and private key file
in .pem format, which includes both private key and signed certificate.
### Signed Certificate upload Design flow:
- The REST Server copies the certificate and private key file to a temporary
location.
- REST server should map the URI to the target DBus application (Certs) object.
The recommendation for the D-Bus application implementing certificate D-Bus
objects is to use the same path structure as the REST endpoint.
e.g.:
- The URI /xyz/openbmc_project/certs/Server/Https maps to instance
of the certificate application handling Https server certificate.
- The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance
of the certificate application handling LDAP client certificate.
- REST server should call the install method of the certificate application
instance.
### REST interface details:
```
url: /xyz/openbmc_project/certs/Server/Https
Description: Update https server signed certificate and the private key.
Method: PUT
url: /xyz/openbmc_project/certs/Server/Https
Description: Delete https server signed certificate and the private key.
Method: DELETE
url: /xyz/openbmc_project/certs/Client/LDAP
Description: Update ldap client certificate and the private key.
Method: PUT
url: /xyz/openbmc_project/certs/Client/LDAP
Description: Delete ldap client certificate and the private key.
Method: DELETE
Return codes
200 Success
400 Invalid certificate and private key file.
405 Method not supported.
500 Internal server error
```
### d-bus interfaces:
#### d-bus interface to install certificate and private Key
- Certs application must:
- validate the certificate and Private key file by checking, if the Private
key matches the public key in the certificate file.
- copy the certificate and Public Key file to the service specific path
based on a configuration file.
- Reload the listed service(s) for which the certificate is updated.
#### d-bus interface to Delete certificate and Private Key
- certificate manager should provide interface to delete the existing
certificate.
- Incase of server type certificate deleting a signed certificate will
create a new self signed certificate and will install the same.
### Boot process
- certificate management instances should be created based on the system
configuration.
- Incase of no Https certificate or invalid Https certificate, certificate
manager should update the https certificate with self signed certificate.
### Repository:
phosphor-certificate-manager
|