Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / 3c4781446a43a875d6bc0eeb87a9ee5ba0709a01
commit3c4781446a43a875d6bc0eeb87a9ee5ba0709a01[log] [tgz]
authorLei YU <yulei.sh@bytedance.com>Mon Jun 27 14:42:47 2022 +0800
committerLei YU <yulei.sh@bytedance.com>Tue May 09 17:33:30 2023 +0800
tree69af732daddbf3801c3b656c3f7ffc5e8985ca59
parent75111af1e550ba091055bcc149fa12d97231567b [diff]
Allow for expired certificate

The code throws for an expired certificate, which results in the below
behavior:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will create a default certificate with hostname `testhost`;

2. In later reboots when BMC get a valid time, the bmcweb loads the
certificate as before. But phosphor-certificate-manager will throw on
this certificate. Then there is no DBus object created for this
certificate (`/xyz/openbmc_project/certs/server/https/1`)

3. Due to the missing DBus object:
 * We will not be able to replace the certificate, e.g. by below
 Redfish URI:
```
 /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
```
 * When the BMC gets the hostname, bmcweb will generate a new
 self-signed certificate with the hostname and replace it, the
 replacement fails as well.

This commit adds a config option that allows the expired certificate to
be created on DBus and fixes the above issues and it is enabled by
default.

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: Ib02bd686c9bfeb6401b269af20856824647f54c5
4 files changed
tree: 69af732daddbf3801c3b656c3f7ffc5e8985ca59
  1. bmc-vmi-ca/
  2. dist/
  3. subprojects/
  4. test/
  5. .clang-format
  6. .clang-tidy
  7. .gitignore
  8. .openbmc-enforce-gitlint
  9. argument.cpp
  10. argument.hpp
  11. certificate.cpp
  12. certificate.hpp
  13. certs_manager.cpp
  14. certs_manager.hpp
  15. config.h.in
  16. csr.cpp
  17. csr.hpp
  18. LICENSE
  19. mainapp.cpp
  20. meson.build
  21. meson_options.txt
  22. OWNERS
  23. README.md
  24. watch.cpp
  25. watch.hpp
  26. x509_utils.cpp
  27. x509_utils.hpp
README.md

phosphor-certificate-manager

Certificate management allows to replace the existing certificate and private key file with another (possibly CA signed) Certificate key file. Certificate management allows the user to install both the server and client certificates.

To Build

This project can be built with meson. The typical meson workflow is: meson builddir && ninja -C builddir.

To Run

Multiple instances of phosphor-certificate-manager are usually run on the bmc to support management of different types of certificates.

Usage: ./phosphor-certificate-manager [options]
Options:
    --help            Print this menu
    --type            certificate type
                      Valid types: client,server,authority
    --endpoint        d-bus endpoint
    --path            certificate file path
    --unit=<name>     Optional systemd unit need to reload

Https certificate management

Purpose: Server https certificate

./phosphor-certificate-manager --type=server --endpoint=https \
    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service

CA certificate management

Purpose: Client certificate validation

./phosphor-certificate-manager --type=authority --endpoint=ldap \
    --path=/etc/ssl/certs/authority --unit=bmcweb.service

LDAP client certificate management

Purpose: LDAP client certificate validation

./phosphor-certificate-manager --type=client --endpoint=ldap \
    --path=/etc/nslcd/certs/cert.pem

D-Bus Interface

phosphor-certificate-manager is an implementation of the D-Bus interface defined in this document.

D-Bus service name is constructed by "xyz.openbmc_project.Certs.Manager.{Type}.{Endpoint}" and D-Bus object path is constructed by "/xyz/openbmc_project/certs/{type}/{endpoint}".

Take https certificate management as an example.

./phosphor-certificate-manager --type=server --endpoint=https \
    --path=/etc/ssl/certs/https/server.pem --unit=bmcweb.service

D-Bus service name is "xyz.openbmc_project.Certs.Manager.Server.Https" and D-Bus object path is "/xyz/openbmc_project/certs/server/https".

Usage in openbmc/bmcweb

OpenBMC bmcweb exposes various REST APIs for certificate management on the BMC, which leverages functionalities of phosphor-certificate-manager via D-Bus.