No option to delete SSL certificates

No option to delete SSL certificates

[Mohammed.Habeeb ISV]

[-- Attachment #1.1: Type: text/plain, Size: 187 bytes --]

Hi

In webui-vue , SSL certificates has only replace option. Delete button is greyed out.
Is there any reason for not providing delete option?

[cid:image003.jpg@01D7112F.E4D7EC10]

[-- Attachment #1.2: Type: text/html, Size: 2110 bytes --]

[-- Attachment #2: image003.jpg --]
[-- Type: image/jpeg, Size: 37751 bytes --]

Re: No option to delete SSL certificates

[Gunnar Mills]

On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
> In webui-vue , SSL certificates has only replace option. Delete button 
> is greyed out.
> 
> Is there any reason for not providing delete option?

Looking at the code, I believe the only certificate that can be deleted 
in bmcweb is the Trust Store Certificate
https://github.com/openbmc/bmcweb/blob/feaf15005555a3099c7f22a7e3d16c99ccb40e72/redfish-core/lib/certificate_service.hpp#L1347

And this is reflected in the webui-vue code:
https://github.com/openbmc/webui-vue/blob/4da9495925d601bb4edfb8b007d5b54792b7491b/src/views/AccessControl/SslCertificates/SslCertificates.vue#L183

I am not sure if there is a reason for not supporting deleting other 
certificates or just no one has done the work.
https://github.com/openbmc/bmcweb/commit/07a602993f1007b0b0b764bdb3f14f302a8d2e26

Thanks,
Gunnar

Re: No option to delete SSL certificates

[Ed Tanous]

On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills <gmills@linux.vnet.ibm.com> wrote:
>
> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
> > In webui-vue , SSL certificates has only replace option. Delete button
> > is greyed out.
> >
> > Is there any reason for not providing delete option?

I can't explain why the TrustStore certificate isn't deletable, that
seems like a bug in webui-vue.

The HTTPS certificate isn't deletable because that would effectively
disable the HTTPS interface entirely, which seems like a problem,
given that you're currently using the HTTPS interface to communicate
with the BMC.  Because of that, we only support replacing the
certificate.  In a perfect world, we could regenerate a new
self-signed certificate if the old one was deleted, but nobody has
written that code so far as I'm aware, I suspect because it's just as
easy to replace the certificate with your own self-signed cert.

>
> Looking at the code, I believe the only certificate that can be deleted
> in bmcweb is the Trust Store Certificate
> https://github.com/openbmc/bmcweb/blob/feaf15005555a3099c7f22a7e3d16c99ccb40e72/redfish-core/lib/certificate_service.hpp#L1347
>
> And this is reflected in the webui-vue code:
> https://github.com/openbmc/webui-vue/blob/4da9495925d601bb4edfb8b007d5b54792b7491b/src/views/AccessControl/SslCertificates/SslCertificates.vue#L183
>
> I am not sure if there is a reason for not supporting deleting other
> certificates or just no one has done the work.
> https://github.com/openbmc/bmcweb/commit/07a602993f1007b0b0b764bdb3f14f302a8d2e26
>
> Thanks,
> Gunnar

RE: No option to delete SSL certificates

[Mohammed.Habeeb ISV]

-----Original Message-----
From: Ed Tanous <ed@tanous.net> 
Sent: Friday, March 5, 2021 9:53 AM
To: Gunnar Mills <gmills@linux.vnet.ibm.com>
Cc: Mohammed.Habeeb ISV <mohammed.habeeb@inventec.com>; openbmc@lists.ozlabs.org; devenrao@in.ibm.com; ojayanth@in.ibm.com
Subject: Re: No option to delete SSL certificates

On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills <gmills@linux.vnet.ibm.com> wrote:
>
> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
> > In webui-vue , SSL certificates has only replace option. Delete 
> > button is greyed out.
> >
> > Is there any reason for not providing delete option?

I can't explain why the TrustStore certificate isn't deletable, that seems like a bug in webui-vue.

The HTTPS certificate isn't deletable because that would effectively disable the HTTPS interface entirely, which seems like a problem, given that you're currently using the HTTPS interface to communicate with the BMC.  Because of that, we only support replacing the certificate.  In a perfect world, we could regenerate a new self-signed certificate if the old one was deleted, but nobody has written that code so far as I'm aware, I suspect because it's just as easy to replace the certificate with your own self-signed cert.

Thanks for sharing the information. How about LDAP certificate type? 
>
> Looking at the code, I believe the only certificate that can be 
> deleted in bmcweb is the Trust Store Certificate
> https://github.com/openbmc/bmcweb/blob/feaf15005555a3099c7f22a7e3d16c9
> 9ccb40e72/redfish-core/lib/certificate_service.hpp#L1347
>
> And this is reflected in the webui-vue code:
> https://github.com/openbmc/webui-vue/blob/4da9495925d601bb4edfb8b007d5
> b54792b7491b/src/views/AccessControl/SslCertificates/SslCertificates.v
> ue#L183
>
> I am not sure if there is a reason for not supporting deleting other 
> certificates or just no one has done the work.
> https://github.com/openbmc/bmcweb/commit/07a602993f1007b0b0b764bdb3f14
> f302a8d2e26
>
> Thanks,
> Gunnar

RE: No option to delete SSL certificates

[Milton Miller II]

On March 05, Ed Tanous wrote:
>On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills
><gmills@linux.vnet.ibm.com> wrote:
>>
>> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
>> > In webui-vue , SSL certificates has only replace option. Delete
>button
>> > is greyed out.
>> >
>> > Is there any reason for not providing delete option?
>
>I can't explain why the TrustStore certificate isn't deletable, that
>seems like a bug in webui-vue.
>
>The HTTPS certificate isn't deletable because that would effectively
>disable the HTTPS interface entirely, which seems like a problem,
>given that you're currently using the HTTPS interface to communicate
>with the BMC.  Because of that, we only support replacing the
>certificate.  In a perfect world, we could regenerate a new
>self-signed certificate if the old one was deleted, but nobody has
>written that code so far as I'm aware, I suspect because it's just as
>easy to replace the certificate with your own self-signed cert.

There was also discussion (but I don't remember if it was email 
or in a gerrit review) that deleting invalid certificates was 
a bad idea when they are invalid for the current time because 
sometimes the issue is the loss of the real time clock, and we 
don't want to delete what should be a good cert and replace with 
a self signed one just because the RTC is wrong.

Deleting the current cert can cause issues with certificate 
pinning in the browser.

>>>
>> Looking at the code, I believe the only certificate that can be
>deleted
>> in bmcweb is the Trust Store Certificate
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_bmcweb_blob_feaf15005555a3099c7f22a7e3d16c99ccb40e72_redfish-2Dcor
>e_lib_certificate-5Fservice.hpp-23L1347&d=DwIBaQ&c=jf_iaSHvJObTbx-siA
>1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&m=GvsftEwmNCL39tSW
>9RGR21w8wiSqAcgIUtjTN26kt-I&s=4FlXy5_5pFttulDVBgxnYBpZTTWQNlWVwxr8jkW
>aJBc&e= 
>>
>> And this is reflected in the webui-vue code:
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_webui-2Dvue_blob_4da9495925d601bb4edfb8b007d5b54792b7491b_src_view
>s_AccessControl_SslCertificates_SslCertificates.vue-23L183&d=DwIBaQ&c
>=jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4
>&m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=pc4yE_OEI6ePP--E_F8p
>Shj3Ve0pOiAANBMLi8YPeHY&e= 
>>
>> I am not sure if there is a reason for not supporting deleting
>other
>> certificates or just no one has done the work.
>>
>https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
>mc_bmcweb_commit_07a602993f1007b0b0b764bdb3f14f302a8d2e26&d=DwIBaQ&c=
>jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&
>m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=iAukDzsq2iqjh1UJw1y0b
>Lv7ci9m2WLqKdF634OdPs8&e= 
>>
>> Thanks,
>> Gunnar

milton

Re: No option to delete SSL certificates

[Ed Tanous]

On Fri, Mar 5, 2021 at 10:41 AM Milton Miller II <miltonm@us.ibm.com> wrote:
>
> On March 05, Ed Tanous wrote:
> >On Fri, Mar 5, 2021 at 9:43 AM Gunnar Mills
> ><gmills@linux.vnet.ibm.com> wrote:
> >>
> >> On 3/4/2021 8:52 PM, Mohammed.Habeeb ISV wrote:
> >> > In webui-vue , SSL certificates has only replace option. Delete
> >button
> >> > is greyed out.
> >> >
> >> > Is there any reason for not providing delete option?
> >
> >I can't explain why the TrustStore certificate isn't deletable, that
> >seems like a bug in webui-vue.
> >
> >The HTTPS certificate isn't deletable because that would effectively
> >disable the HTTPS interface entirely, which seems like a problem,
> >given that you're currently using the HTTPS interface to communicate
> >with the BMC.  Because of that, we only support replacing the
> >certificate.  In a perfect world, we could regenerate a new
> >self-signed certificate if the old one was deleted, but nobody has
> >written that code so far as I'm aware, I suspect because it's just as
> >easy to replace the certificate with your own self-signed cert.
>
> There was also discussion (but I don't remember if it was email
> or in a gerrit review) that deleting invalid certificates was
> a bad idea when they are invalid for the current time because
> sometimes the issue is the loss of the real time clock, and we
> don't want to delete what should be a good cert and replace with
> a self signed one just because the RTC is wrong.

I think that's a different issue.  This is talking about the actual
delete API a user would request.

>
> Deleting the current cert can cause issues with certificate
> pinning in the browser.

You're either talking about HSTS, which isn't affected by certificate
changes, or you're talking about HPKP which we've never supported in
bmcweb, and I thought the browsers removed support for it anyway.
Either way, I don't think it's a concern in OpenBMC in this case.  We
can (and expect to in a security conscious org) replace the
certificate at will often.

>
> >>>
> >> Looking at the code, I believe the only certificate that can be
> >deleted
> >> in bmcweb is the Trust Store Certificate
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_bmcweb_blob_feaf15005555a3099c7f22a7e3d16c99ccb40e72_redfish-2Dcor
> >e_lib_certificate-5Fservice.hpp-23L1347&d=DwIBaQ&c=jf_iaSHvJObTbx-siA
> >1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&m=GvsftEwmNCL39tSW
> >9RGR21w8wiSqAcgIUtjTN26kt-I&s=4FlXy5_5pFttulDVBgxnYBpZTTWQNlWVwxr8jkW
> >aJBc&e=
> >>
> >> And this is reflected in the webui-vue code:
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_webui-2Dvue_blob_4da9495925d601bb4edfb8b007d5b54792b7491b_src_view
> >s_AccessControl_SslCertificates_SslCertificates.vue-23L183&d=DwIBaQ&c
> >=jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4
> >&m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=pc4yE_OEI6ePP--E_F8p
> >Shj3Ve0pOiAANBMLi8YPeHY&e=
> >>
> >> I am not sure if there is a reason for not supporting deleting
> >other
> >> certificates or just no one has done the work.
> >>
> >https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openb
> >mc_bmcweb_commit_07a602993f1007b0b0b764bdb3f14f302a8d2e26&d=DwIBaQ&c=
> >jf_iaSHvJObTbx-siA1ZOg&r=bvv7AJEECoRKBU02rcu4F5DWd-EwX8As2xrXeO9ZSo4&
> >m=GvsftEwmNCL39tSW9RGR21w8wiSqAcgIUtjTN26kt-I&s=iAukDzsq2iqjh1UJw1y0b
> >Lv7ci9m2WLqKdF634OdPs8&e=
> >>
> >> Thanks,
> >> Gunnar
>
> milton
>

RE: No option to delete SSL certificates

[Derick Montague]

 
> I can't explain why the TrustStore certificate isn't deletable, that seems like a bug in webui-vue.  
   
That is the only certificate type that can be deleted.

https://github.com/openbmc/webui-vue/blob/d6752694d31362bd42c3cbb51a35d36fa2bc25e1/src/views/AccessControl/SslCertificates/SslCertificates.vue#L179-L184

Re: No option to delete SSL certificates

[Jayanth Othayoth]

[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]

Discussion thread related Root CA certificate managment proposal
https://lists.ozlabs.org/pipermail/openbmc/2019-April/016136.html

*Deleting Certificates*
This option is required for deleting invalid/expired/compromised
certificates. Existing CertificateService schema doesn’t support to delete
the installed  certificates. Also  “deletable” option is disabled ((
deletable= false)) in the  CertificateCollection Schema
(https://redfish.dmtf.org/schemas/CertificateCollection.json) .

When we discussed during 2Q 2019  with DMTF, no certificate schema
available to handle root CA certificates.
DMTF was ok to extend existing certificate schema to support Root CA (
see proposal for details) till the Root CA schema is available.




On Sat, Mar 6, 2021 at 4:55 AM Derick Montague <Derick.Montague@ibm.com>
wrote:

>
> > I can't explain why the TrustStore certificate isn't deletable, that
> seems like a bug in webui-vue.
>
> That is the only certificate type that can be deleted.
>
>
> https://github.com/openbmc/webui-vue/blob/d6752694d31362bd42c3cbb51a35d36fa2bc25e1/src/views/AccessControl/SslCertificates/SslCertificates.vue#L179-L184
>
>

[-- Attachment #2: Type: text/html, Size: 1931 bytes --]