Using OpenSSL TLS Certificates for OVSDB and other Services
This feature provides a common Transport Layer Socket (TLS) within Netvisor One that you can use for any service such as the Open vSwitch Database Management Protocol (OVSDB) or a Web service. TLS is needed for any SSL connection to a Netvisor One service. For OVSDB, it is needed to connect to a controller using SSL.
For HTTPS communication between a REST API client and the Tomcat application server which is running a switch, you need to configure and deploy a server certificate in a Tomcat server.
You can create one common certificate for all Netvisor One services or create multiple named certificates. Each service can use a different certificate identified by name or container name or zone.
The Certificate facility keeps track of certificate use by using various applications. It notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.
There are two ways to generate certificates:
- Self-signed certificate
- Certificate signed by a Certificate Authority (CA)
Self-signed Certificate
If you want to generate a self-signed certificate use the cert-create command. This command creates a server certificate and self-signs it.
Certificate signed by a Certificate Authority (CA)
If you want to generate a certificate that is signed by a CA, follow these steps:
1. Create a certificate signing request.
2. Export the certificate signing request and send it to the CA administrator.
3. Import the certificate received from CA administrator against the right certificate signing request.
4. Import the intermediate root and root certificate to the switch, if not done already.
CLI Commands
These commands allow you to manage TLS certificates. These commands are also available for REST API.
To create a server certificate that self-signs, use the cert-create command:
CLI (network-admin@Leaf1) > cert-create country country-string state state-string city city-string organization organization-string organizational-unit organization-unit-string common-name common-name-string name name-string [container/zone name]
cert-create |
Creates a server certificate and self-sign. |
country country-string |
Specify a country name (two letter code). |
state state-string |
Specify a state or province name. |
city city-string |
Specify a city name. |
organization organization-string |
Specify an organization name. |
organizational-unit organizational-unit-string |
Specify an organizational unit name. |
common-name common-name-string |
Specify a common name. |
name name-string |
Specify a certificate name. |
any of the following options: |
|
container zone name |
Specify a certificate zone name. |
To delete a certificate, use the cert-delete command:
CLI (network-admin@Leaf1) > cert-delete name name-string [container/zone name]
cert-delete |
Deletes a certificate. |
name name-string |
Specify a country name (two letter code). |
any of the following options: |
|
container zone name |
Specify a certificate zone name. |
To import a CA certificate file, use the cert-import command:
CLI (network-admin@Leaf1) > cert-import name name-string file-ca file-ca-string [container zone name][file-inter file-inter-string]
cert-import |
Imports certificates from the SFTP directory. |
name name-string |
Specify a certificate name. |
file-ca file-ca-string |
Specify the name of CA certificate file. |
file-server file-server-string |
Specify the name of server certificate file. |
any of the following options: |
|
container zone name |
Specify a certificate zone name. |
any of the following options: |
|
file-inter file-inter-string |
Specify the name of intermediate CA certificate file. |
To import a server certificate file, use the cert-import command:
CLI (network-admin@Leaf1) > cert-import name name-string file-server file-server-string [container zone name][file-ca file-ca-string]file-inter file-inter-string]
cert-import |
Imports certificates from SFTP directory. |
name name-string |
Specify the certificate name. |
file-server file-server-string |
Specify the name of server certificate file. |
at least one of the following options: |
|
container zone name |
Specify a certificate zone name. |
any of the following options: |
|
file-ca file-ca-string |
Specify the name of the CA certificate file. |
file-inter file-inter-string |
Specify the name of the intermediate CA certificate file. |
To create a certificate signing request, use the cert-request-create command:
CLI (network-admin@Leaf1) > cert-request-create name name-string [container/zone name]
cert-request-create |
Create a certificate signing request from an existing server certificate. |
name name-string |
Specify the certificate name. |
at least one of the following options: |
|
container zone name |
Specify a certificate zone container name. |
To display a certificate signing request, use the cert-request-show command:
CLI (network-admin@Leaf1) > cert-request-show name name-string [container/zone name]cert-request cert-request-name
----------------------------------------------------------------
-----BEGIN CERTIFICATE REQUEST-----
MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH
DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp
YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M
NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt
0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9
qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl
w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD
IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5
Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi
rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7
R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK
ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI
1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp
Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH
-----END CERTIFICATE REQUEST-----
To display certificates, use the cert-show command:
CLI (network-admin@Leaf1) > cert-show [cert-type ca|intermediate|server] [subject subject-string] [issuer issuer-string] [serial-number serial-number-number] [valid-from valid-from-string] [valid-to valid-to-string] [country country-string] [state state-string] [city city-string] [organization organization-string] [organizational-unit organizational-unit-string] [common-name common-name-string] [ name name-string] [container/zone name]
name used-by cert-type container subject
----- ------- --------- --------- ------------------------------------------
cert3 ca /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1
cert3 server /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1
cert1 ovs ca /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus
cert1 ovs server /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus
Configuring OpenvSwitch for Certificates
The following openvswitch-create and openvswitch-modify command options allow you to specify a certificate name when creating an OpenvSwitch configuration.
CLI (network-admin@Leaf1) > openvswitch-create name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]
openvswitch create |
Create an OpenvSwitch configuration. |
any of the following options: |
|
cert-name cert-name-string |
Specify the certificate name for SSL connections. |
ca-cert-name ca-cert-name-string |
Specify the CA Certificate name for SSL connection. |
cert-location none|global|container |
Specify the certificate location - global or within the container. |
CLI (network-admin@Leaf1) > openvswitch-modify name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]
cert-name cert-name-string |
Specify the certificate name for SSL connections. |
ca-cert-name ca-cert-name-string |
Specify the certificate name for SSL connections. |
cert-location none|global|container |
Specify the certificate location - global or within the container. |