+1 as I had the same concerns. We can not use untrusted connection to provision certs.   It would be good to create a separate workflow to provision these certs.

 

Regards

N

 

From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Zhenfei Tai
Sent: Thursday, July 23, 2020 5:46 PM
To: OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: [EXTERNAL] bmcweb TLS certificates installation and management

 

Hi,

 

I'm recently looking into certificates installation and management for bmcweb and hope to understand the best practice in this regard.

 

According to the TLS doc, bmcweb has APIs that allows root CA installation and https server certificate replacement. 

 

My questions are:

  • Should there be a separate workflow to manage certifications of BMCs?
  • Should the bmcweb APIs be used for the installation and management?

 

Thanks,

Zhenfei