Certificate management allows to replace the existing certificate and private key file with another (possibly certification Authority (CA) signed) certificate and private key file. Certificate management allows the user to install both the server and client certificates. The REST interface allows to update the certificate, using an unencrypted certificate and private key file in .pem format, which includes both private key and signed certificate.
The REST Server copies the certificate and private key file to a temporary location.
REST server should map the URI to the target DBus application (Certs) object. The recommendation for the D-Bus application implementing certificate D-Bus objects is to use the same path structure as the REST endpoint. e.g.: - The URI /xyz/openbmc_project/certs/Server/Https maps to instance of the certificate application handling Https server certificate. - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance of the certificate application handling LDAP client certificate.
REST server should call the install method of the certificate application instance.
Certificate manager application also implements d-bus object xyz.openbmc_project.Certs.Manager. This includes the collection of "certificates specific d-bus objects" installed in the system. This d-bus provide option to view the certificate on PEM format and delete the same. Refer https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail for details. e.g. for Certificate specific d-bus path - /xyz/openbmc_project/certs/Server/ maps to instance of the server types certificate. - /xyz/openbmc_project/certs/Client/ maps to instance of the client type certificate. note: unique id is the hash value of certificate issuer and serial number.
Applications should subscribe the xyz.openbmc_project.Certs.Manager to see any new certificate is uploaded or change in the existing certificates.
Certificate manager scope is limited to manage the certificate and impacted application is responsible for application specific changes.
Incase of delete action, certificate manager creates a new self signed certificate after successful delete.
url: /xyz/openbmc_project/certs/Server/Https Description: Update https server signed certificate and the private key. Method: PUT url: /xyz/openbmc_project/certs/Server/Https Description: Delete https server signed certificate and the private key. Method: DELETE url: /xyz/openbmc_project/certs/Client/LDAP Description: Update ldap client certificate and the private key. Method: PUT url: /xyz/openbmc_project/certs/Client/LDAP Description: Delete ldap client certificate and the private key. Method: DELETE Return codes 200 Success 400 Invalid certificate and private key file. 405 Method not supported. 500 Internal server error
certificate management instances should be created based on the system configuration.
Incase of no Https certificate or invalid Https certificate, certificate manager should update the https certificate with self signed certificate.
phosphor-certificate-manager