Using OpenSSL TLS Certificates for OVSDB and other Services

NetVisor OS supports Transport Layer Socket (TLS) certificates that you can use for services such as OVSDB or web service. An SSL connection to any NetVisor OS service mandates TLS certificates. In the case of OVSDB, TLS is required to create a secure SSL connection to an SDN controller such as ODL.


You can create a common certificate for all NetVisor OS services or create multiple named certificates for distinct services. Each service can use a different certificate identified by name or container name or zone. The certificate facility in NetVisor OS keeps track of certificates used by using various applications. This facility notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.


To enable SSL for OVSDB communication with the SDN controller, you must generate either of the two certificate types below:


  • Self-signed certificate
  • Certificate signed by a Certificate Authority (CA)

To create a self-signed server certificate, use the cert-create command:


CLI (network-admin@switch) > cert-create

 

cert-create

Creates a server certificate and self-sign.

country country-string

Specify a country name (two letter code).

state state-string

Specify a state or province name.

city city-string

Specify a city name.

organization organization-string

Specify an organization name.

organizational-unit organizational-unit-string

Specify an organizational unit name.

common-name common-name-string

Specify a common name.

name name-string

Specify a certificate name.

any of the following options:

 

container zone-name

Specify a certificate zone name.

status status-string

The expiration status of the certificate.

 

For example:


CLI (network-admin@switch) > cert-create country US state California city PA organization "Pluribus Networks Inc" organizational-unit Engineering common-name CN1 name cert1

Successfully generated self-signed certificate.


Use the cert-show command to view the certificate:


CLI (network-admin@switch) > cert-show

switch:              switch

name:                cert1

container:

country:             US

state:               California

city:                PA

organization:        Pluribus Networks Inc

organizational-unit: Engineering

common-name:         CN1

cert-type:           server

subject:             /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1

issuer:              /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1

serial-number:       1

valid-from:          Apr 24 09:11:57 2021 GMT

valid-to:            Apr 24 09:11:57 2022 GMT


If you want to get the certificate signed by a CA, follow the steps below:


  • Create a Certificate Signing Request (CSR) by using the command:


cert-request-create

Create a certificate signing request.

name name-string

Specify the certificate name.

container zone name

Specify the container name or zone.


CLI (network-admin@switch) > cert-request-create name cert1

Certificate signing request successfully generated at /sftp/export/cert1-cert.csr.


  • Copy the CSR to your CA server, and get it signed by the CA.


  • Copy the signed server certificate, CA root certificate, and intermediate certificate (if signed by an intermediate server) to the /sftp/import directory on the switch.


  • Import the certificates onto the switch by using the command below:


CLI (network-admin@switch1) > cert-import

cert-import

Import certificates from /sftp/import directory.

file-ca file-ca-string

Specify the name of the CA certificate file.

file-server file-server-string

Specify the name of server certificate file (signed by CA).

container zone name

Specify the container name or zone.

file-inter file-inter-string

Specify the name of intermediate CA certificate file. 

status status-string

The expiration status of the certificate.


For example:


CLI (network-admin@switch) > cert-import file-ca PN-cacert.pem file-server cert1-cert.pem

Successfully imported certificates.


View the server-signed certificate by using the command:


CLI (network-admin@switch) > cert-show

switch:              switch

name:                cert1

container:

country:             US

state:               California

city:                PA

organization:        Pluribus Networks Inc

organizational-unit: Engineering

common-name:         CN1

cert-type:           server

subject:             /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1

issuer:              /C=US/ST=California/L=Palo Alto/O=Pluribus Networks Inc/OU=Engineering/CN=Pluribus Networks Test CA 2k-sha-256/emailAddress=abc@example.com

serial-number:       3

valid-from:          Apr 24 09:26:06 2021 GMT

valid-to:            Apr 24 09:26:06 2022 GMT


You can now configure the OVS service by specifying the name of the server certificate and the CA root certificate. 


For example:


CLI (network-admin@switch) > openvswitch-create name ovs-tls-1 vnet vpod1 tunnel-ip 192.168.0.10 dedicated-vnet-service storage-pool rpool gateway 192.168.14.1 cert-name cert1 ca-cert-name ca-cert1 global-vtep


Related Commands


  • To delete a certificate, use the cert-delete command:

 

CLI (network-admin@switch) > cert-delete

 

cert-delete

Deletes a certificate.

name name-string

Specify the name of the certificate.

container zone name

Specify container name or zone.

 

For example:

CLI (network-admin@switch) > cert-delete

Successfully deleted all certificate files.


  • To display a certificate signing request, use the cert-request-show command:


CLI (network-admin@switch) > cert-request-show

cert-request-show

Displays the certificate signing request.

cert-request cert-request-string

Specify the name of the CSR.

 

For example:


CLI (network-admin@switch) > cert-request-show

----------------------------------------------------------------

-----BEGIN CERTIFICATE REQUEST-----                              

MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH

DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp

YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M

NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt

0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9

qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl

w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD

IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5

Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi

rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7

R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK

ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI

1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp

Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH

-----END CERTIFICATE REQUEST-----

north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south