|
|
Post by AMI_alvin on Mar 4, 2021 6:05:52 GMT
Hi all, I have some questions about GenerateCSR action : 1. According to the schema, "CertificateCollection" property is the link to the certificate collection where the certificate is installed after the certificate authority (CA) signs the certificate. For example, if we generate a CSR and it needs to be signed by letsencrypt.org, how can we use letsencrypt to sign the CSR and then install to the target certificate collection in BMC? Is this the expected behavior of DMTF? 2. Continuous to question 1, what is the user scenario for GenerateCSR? Should client use the CSR string and manully provide to CA, or BMC should have the ability to sign this CSR and install to CertificateCollection? Thanks, Alvin |
|
|
|
Post by mraineri on Mar 4, 2021 14:12:49 GMT
The step where you take a CSR and provide it to a CA is outside the scope of Redfish. The response for the GenerateCSR action contains the CSR string. However this is then sent to your CA is up to you; ince everyone has a different infrastructure for managing this, Redfish doesn't specify how this is done. Once your CA returns the signed certificate, you can install it on the appropriate collection.
The reason "CertificateCollection" is one of the parameters is so the manager can sanity check the GenerateCSR parameters for additional restrictions based on the target collection. For example, there might be a certificate collection in one location that only supports RSA keys, but a different collection on the same service supports both RSA and elliptic curve keys. This could be because the end device consuming the certificate has different capabilities than other devices on the service.
Generally speaking, the UI for the managers I've seen don't do anything internal with the CSR, other than saving a copy of the key-pair generated with the CSR. Their UI typically contains a pop-up form where the user fills in the details, and the UI is updated with the CSR string. Users copy this string from the UI and send it to their CA as they need to based on who their CA is.
BMCs are not authorities, so there's no need for the BMC to produce a CSR and sign it themselves; doing this defeats the purpose of producing a CSR from an entity like a BMC. This is more like a self-signed certificate where an authority is not involved.
|
|
|
|
Post by AMI_alvin on Mar 8, 2021 7:38:52 GMT
mraineri thanks for your reply, the scenario for "CertificateCollection" is clear. I also want to check the scenario about priviate key which generating from GenerateCSR action. According to the schema : I think the steps should like these below. Please kindly correct me if they are wrong : 1. GenerateCSR action to create HTTPS certificate. It will return a CSR string in response body and keep the private key in BMC. ( "CertificateCollection" : {"@odata.id" : "/redfish/v1/Managers/1/NetworkProtocol/HTTPS/Certificates"}) 2. Provide this CSR string to CA. Then we got a certificate which signed by CA. 3. Install certificate by POST a HTTPS Certificates instance or using ReplaceCertificate Action to the "CertificateCollection" in Step 1. 4. BMC check the private key and the given certificate are matched or not. If matched, then install this certificate. If not matched, client should provide the private key if the service required for that. Did these steps conform to DMTF expected behavior? If the answer is yes, it seems that client will never know the private key from GenerateCSR even they got a signed certificate. That means this certificate have to be used for BMC services. Is this also expected? With best regards, Alvin
|
|
|
|
Post by mraineri on Mar 8, 2021 20:28:57 GMT
Yes, that's all what we expect. Generally speaking, when you do a CSR type of request with a managed entity in that the entity will be the one to own the certificate, it's seen as a bad practice to return the private key. No one needs the private key besides the managed entity, so any time you transfer a private key, you have a potential security risk where the key could be intercepted. We talk about these types of flows in the Certificate Management White Paper found here: www.dmtf.org/sites/default/files/standards/documents/DSP2059_1.0.0.pdf |
|
