Using OpenSSL TLS Certificates for OVSDB and other Services
NetVisor OS supports Transport Layer Socket (TLS) certificates that you can use for services such as OVSDB or web service. An SSL connection to any NetVisor OS service mandates TLS certificates. In the case of OVSDB, TLS is required to create a secure SSL connection to an SDN controller such as ODL.
You can create a common certificate for all NetVisor OS services or create multiple named certificates for distinct services. Each service can use a different certificate identified by name or container name or zone. The certificate facility in NetVisor OS keeps track of certificates used by using various applications. This facility notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.
To enable SSL for OVSDB communication with the SDN controller, you must generate either of the two certificate types below:
- Self-signed certificate
- Certificate signed by a Certificate Authority (CA)
To create a self-signed server certificate, use the cert-create command:
CLI (network-admin@switch) > cert-create
cert-create |
Creates a server certificate and self-sign. |
country country-string |
Specify a country name (two letter code). |
state state-string |
Specify a state or province name. |
city city-string |
Specify a city name. |
organization organization-string |
Specify an organization name. |
organizational-unit organizational-unit-string |
Specify an organizational unit name. |
common-name common-name-string |
Specify a common name. |
name name-string |
Specify a certificate name. |
any of the following options: |
|
container zone-name |
Specify a certificate zone name. |
status status-string |
The expiration status of the certificate. |
For example:
CLI (network-admin@switch) > cert-create country US state California city PA organization "Pluribus Networks Inc" organizational-unit Engineering common-name CN1 name cert1
Successfully generated self-signed certificate.
Use the cert-show command to view the certificate:
CLI (network-admin@switch) > cert-show
switch: switch
name: cert1
container:
country: US
state: California
city: PA
organization: Pluribus Networks Inc
organizational-unit: Engineering
common-name: CN1
cert-type: server
subject: /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1
issuer: /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1
serial-number: 1
valid-from: Apr 24 09:11:57 2021 GMT
valid-to: Apr 24 09:11:57 2022 GMT
If you want to get the certificate signed by a CA, follow the steps below:
- Create a Certificate Signing Request (CSR) by using the command:
cert-request-create |
Create a certificate signing request. |
name name-string |
Specify the certificate name. |
container zone name |
Specify the container name or zone. |
CLI (network-admin@switch) > cert-request-create name cert1
Certificate signing request successfully generated at /sftp/export/cert1-cert.csr.
- Copy the CSR to your CA server, and get it signed by the CA.
- Copy the signed server certificate, CA root certificate, and intermediate certificate (if signed by an intermediate server) to the /sftp/import directory on the switch.
- Import the certificates onto the switch by using the command below:
CLI (network-admin@switch1) > cert-import
cert-import |
Import certificates from /sftp/import directory. |
file-ca file-ca-string |
Specify the name of the CA certificate file. |
file-server file-server-string |
Specify the name of server certificate file (signed by CA). |
container zone name |
Specify the container name or zone. |
file-inter file-inter-string |
Specify the name of intermediate CA certificate file. |
status status-string |
The expiration status of the certificate. |
For example:
CLI (network-admin@switch) > cert-import file-ca PN-cacert.pem file-server cert1-cert.pem
Successfully imported certificates.
View the server-signed certificate by using the command:
CLI (network-admin@switch) > cert-show
switch: switch
name: cert1
container:
country: US
state: California
city: PA
organization: Pluribus Networks Inc
organizational-unit: Engineering
common-name: CN1
cert-type: server
subject: /C=US/ST=California/L=PA/O=Pluribus Networks Inc/OU=Engineering/CN=CN1
issuer: /C=US/ST=California/L=Palo Alto/O=Pluribus Networks Inc/OU=Engineering/CN=Pluribus Networks Test CA 2k-sha-256/emailAddress=abc@example.com
serial-number: 3
valid-from: Apr 24 09:26:06 2021 GMT
valid-to: Apr 24 09:26:06 2022 GMT
You can now configure the OVS service by specifying the name of the server certificate and the CA root certificate.
For example:
CLI (network-admin@switch) > openvswitch-create name ovs-tls-1 vnet vpod1 tunnel-ip 192.168.0.10 dedicated-vnet-service storage-pool rpool gateway 192.168.14.1 cert-name cert1 ca-cert-name ca-cert1 global-vtep
Related Commands
- To delete a certificate, use the cert-delete command:
CLI (network-admin@switch) > cert-delete
cert-delete |
Deletes a certificate. |
name name-string |
Specify the name of the certificate. |
container zone name |
Specify container name or zone. |
For example:
CLI (network-admin@switch) > cert-delete
Successfully deleted all certificate files.
- To display a certificate signing request, use the cert-request-show command:
CLI (network-admin@switch) > cert-request-show
cert-request-show |
Displays the certificate signing request. |
cert-request cert-request-string |
Specify the name of the CSR. |
For example:
CLI (network-admin@switch) > cert-request-show
----------------------------------------------------------------
-----BEGIN CERTIFICATE REQUEST-----
MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH
DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp
YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M
NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt
0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9
qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl
w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD
IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5
Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi
rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7
R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK
ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI
1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp
Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH
-----END CERTIFICATE REQUEST-----