Currently certificate installation is supported by bmcweb via redfish/v1/Managers/bmc/Truststore/Certificates, where the certificate content is part of the JSON request.

For our use case it's a more restricted environment in which we don't want to have plaintext certificates in the request. Instead we want to send a pair of encrypted key and certificate from the host to the BMC and there will be another daemon to decrypt them using an internal library.

Since it's not supported by the Redfish schema, my plan is to use the redfish/v1/CertificateSerivce/OemActions URI and a request payload like below:

{

  "key": "encrypted key in binary",

  "certificate": "encrypted certificate in binary"

}

The reasons to use the URI and payload are:

1. It's related to certificate service although in opaque blobs.

2. It's fairly company specific that probably isn't universally applicable.

My questions are:
1. Is this a reasonable approach?

2. Shall we define an OEM schema for our request?

Thanks,

Zhenfei