Configuring Open Virtual Switch > Using OpenSSL TLS Certificates for OVSDB and other Services
Was this helpful?
Using OpenSSL TLS Certificates for OVSDB and other Services
This feature provides a common Transport Layer Socket (TLS) within Netvisor ONE that you can use for any service such as the Open vSwitch Database Management Protocol (OVSDB) or a Web service. TLS is needed for any SSL connection to a Netvisor ONE service. For OVSDB, it is needed to connect to a controller using SSL. For HTTPS communication between a REST API client and the Tomcat application server which is running a switch, you need to configure and deploy a server certificate in a Tomcat server.
You can create one common certificate for all Netvisor ONE services or create multiple named certificates. Each service can use a different certificate identified by name or container name or zone.
The Certificate facility keeps track of certificate use by using various applications. It notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.
There are two ways to generate certificates:
Self-signed certificate
Certificate signed by a Certificate Authority (CA)
Self-signed Certificate
To generate a self-signed certificate use the cert-create command. This command creates a server certificate and self-signs it.
Certificate signed by a Certificate Authority (CA)
To generate a certificate signed by a CA, follow these steps:
1. Create a certificate signing request.
2. Export the certificate signing request and send it to the CA administrator.
3. Import the certificate received from CA administrator against the right certificate signing request.
4. Import the intermediate root and root certificate to the switch, if not done already.
CLI Commands
These commands allow you to manage TLS certificates.
To create a server certificate that self-signs., use the cert-create command:
CLI network-admin@switch > cert-create country country-string state state-string city city-string organization organization-string organizational-unit organization-unit-string common-name common-name-string name name-string [container/zone name]
cert-create
Creates a server certificate and self-sign.
country country-string
Specify a country name (two letter code).
state state-string
Specify a state or province name.
city city-string
Specify a city name.
organization organization-string
Specify an organization name.
organizational-unit organizational-unit-string
Specify an organizational unit name.
common-name common-name-string
Specify a common name.
name name-string
Specify a certificate name.
any of the following options:
 
container zone name
Specify a certificate zone name.
To delete a certificate, use the cert-delete command:
CLI network-admin@switch > cert-delete name name-string [container/zone name]
cert-delete
Deletes a certificate.
name name-string
Specify a country name (two letter code).
any of the following options:
 
container zone name
Specify a certificate zone name.
To import a CA certificate file, use the cert-import command:
CLI network-admin@switch > cert-import name name-string file-ca file-ca-string [container zone name][file-inter file-inter-string]
cert-import
Imports certificates from the SFTP directory.
name name-string
Specify a certificate name.
file-ca file-ca-string
Specify the name of CA certificate file.
file-server file-server-string
Specify the name of server certificate file.
any of the following options:
 
container zone name
Specify a certificate zone name.
any of the following options:
 
file-inter file-inter-string
Specify the name of intermediate CA certificate file.
To import a server certificate file, use the cert-import command:
CLI network-admin@switch > cert-import name name-string file-server file-server-string [container zone name][file-ca file-ca-string]file-inter file-inter-string]
cert-import
Imports certificates from SFTP directory.
name name-string
Specify the certificate name.
file-server file-server-string
Specify the name of server certificate file.
at least 0 of the following options:
 
container zone name
Specify a certificate zone name.
any of the following options:
 
file-ca file-ca-string
Specify the name of the CA certificate file.
file-inter file-inter-string
Specify the name of the intermediate CA certificate file.
To create a certificate signing request, use the cert-request-create command:
CLI network-admin@switch > cert-request-create name name-string [container/zone name]
cert-request-create
Create a certificate signing request from an existing server certificate.
name name-string
Specify the certificate name.
at least 0 of the following options:
 
container zone name
Specify a certificate zone container name.
To display a certificate signing request, use the cert-request-show command:
CLI network-admin@switch > cert-request-show name name-string [container/zone name]cert-request cert-request-name
----------------------------------------------------------------
-----BEGIN CERTIFICATE REQUEST-----
MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH
DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp
YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M
NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt
0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9
qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl
w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD
IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5
Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi
rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7
R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK
ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI
1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp
Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH
-----END CERTIFICATE REQUEST-----
 
To display certificates, use the cert-show command:
CLI network-admin@switch > cert-show [cert-type ca|intermediate|server] [subject subject-string] [issuer issuer-string] [serial-number serial-number-number] [valid-from valid-from-string] [valid-to valid-to-string] [country country-string] [state state-string] [city city-string] [organization organization-string] [organizational-unit organizational-unit-string] [common-name common-name-string] [ name name-string] [container/zone name]
name used-by cert-type container subject
----- ------- --------- --------- ------------------------------------------
cert3 ca /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1
cert3 server /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1
cert1 ovs ca /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus
cert1 ovs server /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus
 
 
Configuring OpenvSwitch for Certificates
The following openvswitch-create and openvswitch-modify command options allow you to specify a certificate name when creating an OpenvSwitch configuration.
CLI network-admin@switch > openvswitch-create name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]
openvswitch create
Create an OpenvSwitch configuration.
any of the following options:
 
cert-name cert-name-string
Specify the certificate name for SSL connections.
ca-cert-name ca-cert-name-string
Specify the CA Certificate name for SSL connection.
cert-location none|global|container
Specify the certificate location - global or within the container.
CLI network-admin@switch > openvswitch-modify name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]
cert-name cert-name-string
Specify the certificate name for SSL connections.
ca-cert-name ca-cert-name-string
Specify the certificate name for SSL connections.
cert-location none|global|container
Specify the certificate location - global or within the container.