ovs-pki(8) | Open vSwitch Manual | ovs-pki(8) |
ovs-pki - OpenFlow public key infrastructure management utility
Each command takes the form:
ovs-pki [options] command [args]
The implemented commands and their arguments are:
ovs-pki init
ovs-pki req name
ovs-pki sign name [type]
ovs-pki req+sign name [type]
ovs-pki verify name [type]
ovs-pki fingerprint file
ovs-pki self-sign name
Each type above is a certificate type, either switch (default) or controller.
The available options are:
[-k type | --key=type]
[-B nbits | --bits=nbits]
[-D file | --dsaparam=file]
[-b | --batch]
[-f | --force]
[-d dir | --dir=dir]
[-l file | --log=file]
[-u | --unique]
[-h | --help]
Some options do not apply to every command.
The ovs-pki program sets up and manages a public key infrastructure for use with OpenFlow. It is intended to be a simple interface for organizations that do not have an established public key infrastructure. Other PKI tools can substitute for or supplement the use of ovs-pki.
ovs-pki uses openssl(1) for certificate management and key generation.
The following ovs-pki commands support manual PKI administration:
This command should ideally be run on a high-security machine separate from any OpenFlow controller or switch, called the CA machine. The files pki/controllerca/cacert.pem and pki/switchca/cacert.pem that it produces will need to be copied over to the OpenFlow switches and controllers, respectively. Their contents may safely be made public.
By default, ovs-pki generates 2048-bit RSA keys. The -B or --bits option (see below) may be used to override the key length. The -k dsa or --key=dsa option may be used to use DSA in place of RSA. If DSA is selected, the dsaparam.pem file generated in the new PKI hierarchy must be copied to any machine on which the req command (see below) will be executed. Its contents may safely be made public.
Other files generated by init may remain on the CA machine. The files pki/controllerca/private/cakey.pem and pki/switchca/private/cakey.pem have particularly sensitive contents that should not be exposed.
This command should ideally be run on the switch or controller that will use the private key to identify itself. The file name-req.pem must be copied to the CA machine for signing with the sign command (below).
This command will output a fingerprint to stdout as its final step. Write down the fingerprint and take it to the CA machine before continuing with the sign step.
When RSA keys are in use (as is the default), req, unlike the rest of ovs-pki's commands, does not need access to a PKI hierarchy created by ovs-pki init. The -B or --bits option (see below) may be used to specify the number of bits in the generated RSA key.
When DSA keys are used (as specified with --key=dsa), req needs access to the dsaparam.pem file created as part of the PKI hierarchy (but not to other files in that tree). By default, ovs-pki looks for this file in /var/lib/openvswitch/pki/dsaparam.pem, but the -D or --dsaparam option (see below) may be used to specify an alternate location.
name-privkey.pem has sensitive contents that should not be exposed. name-req.pem may be safely made public.
This command must be run on the CA machine.
The command will output a fingerprint to stdout and request that you verify that it is the same fingerprint output by the req command. This ensures that the request being signed is the same one produced by req. (The -b or --batch option suppresses the verification step.)
The file name-cert.pem will need to be copied back to the switch or controller for which it is intended. Its contents may safely be made public.
This combined method is, theoretically, less secure than the individual steps performed separately on two different machines, because there is additional potential for exposure of the private key. However, it is also more convenient.
Some controllers accept such self-signed certificates.
The type may be rsa (the default) or dsa.
The value must be at least 1024. The default is 2048.
The default is dsaparam.pem under the PKI hierarchy.
2.10.7 | Open vSwitch |