Using OpenSSL TLS Certificates for OVSDB and other Services

---

This feature provides a common Transport Layer Socket (TLS) within Netvisor One that you can use for any service such as the Open vSwitch Database Management Protocol (OVSDB) or a Web service. TLS is needed for any SSL connection to a Netvisor One service. For OVSDB, it is needed to connect to a controller using SSL.

 For HTTPS communication between a REST API client and the Tomcat application server which is running a switch, you need to configure and deploy a server certificate in a Tomcat server.

You can create one common certificate for all Netvisor One services or create multiple named certificates. Each service can use a different certificate identified by name or container name or zone.

The Certificate facility keeps track of certificate use by using various applications. It notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.

There are two ways to generate certificates:

• Self-signed certificate
• Certificate signed by a Certificate Authority (CA)

Self-signed Certificate

If you want to generate a self-signed certificate use the cert-create command. This command creates a server certificate and self-signs it.

Certificate signed by a Certificate Authority (CA)

If you want to generate a certificate that is signed by a CA, follow these steps:

1. Create a certificate signing request.

2. Export the certificate signing request and send it to the CA administrator.

3. Import the certificate received from CA administrator against the right certificate signing request.

4. Import the intermediate root and root certificate to the switch, if not done already.

 

CLI Commands

These commands allow you to manage TLS certificates. These commands are also available for REST API.

To create a server certificate that self-signs, use the cert-create command:

CLI (network-admin@Leaf1) > cert-create country country-string state state-string city city-string organization organization-string organizational-unit organization-unit-string common-name common-name-string name name-string [container/zone name]

 

 

To delete a certificate, use the cert-delete command:

 

CLI (network-admin@Leaf1) > cert-delete name name-string [container/zone name]

 

 

To import a CA certificate file, use the cert-import command:

 

CLI (network-admin@Leaf1) > cert-import name name-string file-ca file-ca-string [container zone name][file-inter file-inter-string]

 

 

To import a server certificate file, use the cert-import command:

 

CLI (network-admin@Leaf1) > cert-import name name-string file-server file-server-string [container zone name][file-ca file-ca-string]file-inter file-inter-string]

 

 

To create a certificate signing request, use the cert-request-create command:

 

CLI (network-admin@Leaf1) > cert-request-create name name-string [container/zone name]

 

 

To display a certificate signing request, use the cert-request-show command:

 

CLI (network-admin@Leaf1) > cert-request-show name name-string [container/zone name]cert-request cert-request-name

 

----------------------------------------------------------------

-----BEGIN CERTIFICATE REQUEST-----                              

MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH

DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp

YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M

NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt

0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9

qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl

w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD

IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5

Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi

rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7

R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK

ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI

1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp

Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH

-----END CERTIFICATE REQUEST-----

 

To display certificates, use the cert-show command:

 

CLI (network-admin@Leaf1) > cert-show [cert-type ca|intermediate|server] [subject subject-string] [issuer issuer-string] [serial-number serial-number-number] [valid-from valid-from-string] [valid-to valid-to-string] [country country-string] [state state-string] [city city-string] [organization organization-string] [organizational-unit organizational-unit-string] [common-name common-name-string] [ name name-string] [container/zone name]

name  used-by cert-type container subject                                    

----- ------- --------- --------- ------------------------------------------

cert3         ca                  /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert3         server              /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert1 ovs     ca                  /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

cert1 ovs     server              /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

 

 

Configuring OpenvSwitch for Certificates

The following openvswitch-create and openvswitch-modify command options allow you to specify a certificate name when creating an OpenvSwitch configuration.

CLI (network-admin@Leaf1) > openvswitch-create name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]

 

 

CLI (network-admin@Leaf1) > openvswitch-modify name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]