.\" -*- nroff -*- .\" ovs.tmac .\" .\" Open vSwitch troff macro library . . .\" Continuation line for .IP. .de IQ . br . ns . IP "\\$1" .. . .\" Introduces a sub-subsection .de ST . PP . RS -0.15in . I "\\$1" . RE .. . .\" The content between the lines below is from an-ext.tmac in groff .\" 1.21, with some modifications. .\" ---------------------------------------------------------------------- .\" an-ext.tmac .\" .\" Written by Eric S. Raymond .\" Werner Lemberg .\" .\" Version 2007-Feb-02 .\" .\" Copyright (C) 2007, 2009, 2011 Free Software Foundation, Inc. .\" You may freely use, modify and/or distribute this file. .\" .\" .\" The code below provides extension macros for the `man' macro package. .\" Care has been taken to make the code portable; groff extensions are .\" properly hidden so that all troff implementations can use it without .\" changes. .\" .\" With groff, this file is sourced by the `man' macro package itself. .\" Man page authors who are concerned about portability might add the .\" used macros directly to the prologue of the man page(s). . . .\" Convention: Auxiliary macros and registers start with `m' followed .\" by an uppercase letter or digit. . . .\" Declare start of command synopsis. Sets up hanging indentation. .de SY . ie !\\n(mS \{\ . nh . nr mS 1 . nr mA \\n(.j . ad l . nr mI \\n(.i . \} . el \{\ . br . ns . \} . . HP \w'\fB\\$1\fP\ 'u . B "\\$1" .. . . .\" End of command synopsis. Restores adjustment. .de YS . in \\n(mIu . ad \\n(mA . hy \\n(HY . nr mS 0 .. . . .\" Declare optional option. .de OP . ie \\n(.$-1 \ . RI "[\fB\\$1\fP" "\ \\$2" "]" . el \ . RB "[" "\\$1" "]" .. . . .\" Start URL. .de UR . ds m1 \\$1\" . nh . if \\n(mH \{\ . \" Start diversion in a new environment. . do ev URL-div . do di URL-div . \} .. . . .\" End URL. .de UE . ie \\n(mH \{\ . br . di . ev . . \" Has there been one or more input lines for the link text? . ie \\n(dn \{\ . do HTML-NS "" . \" Yes, strip off final newline of diversion and emit it. . do chop URL-div . do URL-div \c . do HTML-NS . \} . el \ . do HTML-NS "\\*(m1" \&\\$*\" . \} . el \ \\*(la\\*(m1\\*(ra\\$*\" . . hy \\n(HY .. . . .\" Start email address. .de MT . ds m1 \\$1\" . nh . if \\n(mH \{\ . \" Start diversion in a new environment. . do ev URL-div . do di URL-div . \} .. . . .\" End email address. .de ME . ie \\n(mH \{\ . br . di . ev . . \" Has there been one or more input lines for the link text? . ie \\n(dn \{\ . do HTML-NS "" . \" Yes, strip off final newline of diversion and emit it. . do chop URL-div . do URL-div \c . do HTML-NS . \} . el \ . do HTML-NS "\\*(m1" \&\\$*\" . \} . el \ \\*(la\\*(m1\\*(ra\\$*\" . . hy \\n(HY .. . . .\" Continuation line for .TP header. .de TQ . br . ns . TP \\$1\" no doublequotes around argument! .. . . .\" Start example. .de EX . nr mE \\n(.f . nf . nh . ft CW .. . . .\" End example. .de EE . ft \\n(mE . fi . hy \\n(HY .. . .\" EOF .\" ---------------------------------------------------------------------- .TH ovs\-pki 8 "2.12.0" "Open vSwitch" "Open vSwitch Manual" .SH NAME ovs\-pki \- OpenFlow public key infrastructure management utility .SH SYNOPSIS Each command takes the form: .sp \fBovs\-pki\fR [\fIoptions\fR] \fIcommand\fR [\fIargs\fR] .sp The implemented commands and their arguments are: .br \fBovs\-pki\fR \fBinit\fR .br \fBovs\-pki\fR \fBreq\fR \fIname\fR .br \fBovs\-pki\fR \fBsign\fR \fIname\fR [\fItype\fR] .br \fBovs\-pki\fR \fBreq+sign\fR \fIname\fR [\fItype\fR] .br \fBovs\-pki\fR \fBverify\fR \fIname\fR [\fItype\fR] .br \fBovs\-pki\fR \fBfingerprint\fR \fIfile\fR .br \fBovs\-pki\fR \fBself\-sign\fR \fIname\fR .sp Each \fItype\fR above is a certificate type, either \fBswitch\fR (default) or \fBcontroller\fR. .sp The available options are: .br [\fB\-k\fR \fItype\fR | \fB\-\^\-key=\fItype\fR] .br [\fB\-B\fR \fInbits\fR | \fB\-\^\-bits=\fInbits\fR] .br [\fB\-D\fR \fIfile\fR | \fB\-\^\-dsaparam=\fIfile\fR] .br [\fB\-b\fR | \fB\-\^\-batch\fR] .br [\fB\-f\fR | \fB\-\^\-force\fR] .br [\fB\-d\fR \fIdir\fR | \fB\-\^\-dir=\fR\fIdir\fR] .br [\fB\-l\fR \fIfile\fR | \fB\-\^\-log=\fIfile\fR] .br [\fB\-u\fR | \fB\-\^\-unique\fR] .br [\fB\-h\fR | \fB\-\^\-help\fR] .sp Some options do not apply to every command. .SH DESCRIPTION The \fBovs\-pki\fR program sets up and manages a public key infrastructure for use with OpenFlow. It is intended to be a simple interface for organizations that do not have an established public key infrastructure. Other PKI tools can substitute for or supplement the use of \fBovs\-pki\fR. \fBovs\-pki\fR uses \fBopenssl\fR(1) for certificate management and key generation. .SH "OFFLINE COMMANDS" The following \fBovs\-pki\fR commands support manual PKI administration: .TP \fBinit\fR Initializes a new PKI (by default in directory \fB/var/lib/openvswitch/pki\fR) and populates it with a pair of certificate authorities for controllers and switches. This command should ideally be run on a high\-security machine separate from any OpenFlow controller or switch, called the CA machine. The files \fBpki/controllerca/cacert.pem\fR and \fBpki/switchca/cacert.pem\fR that it produces will need to be copied over to the OpenFlow switches and controllers, respectively. Their contents may safely be made public. By default, \fBovs\-pki\fR generates 2048\-bit RSA keys. The \fB\-B\fR or \fB\-\^\-bits\fR option (see below) may be used to override the key length. The \fB\-k dsa\fR or \fB\-\^\-key=dsa\fR option may be used to use DSA in place of RSA. If DSA is selected, the \fBdsaparam.pem\fR file generated in the new PKI hierarchy must be copied to any machine on which the \fBreq\fR command (see below) will be executed. Its contents may safely be made public. Other files generated by \fBinit\fR may remain on the CA machine. The files \fBpki/controllerca/private/cakey.pem\fR and \fBpki/switchca/private/cakey.pem\fR have particularly sensitive contents that should not be exposed. .TP \fBreq\fR \fIname\fR Generates a new private key named \fIname\fR\fB\-privkey.pem\fR and corresponding certificate request named \fIname\fR\fB\-req.pem\fR. The private key can be intended for use by a switch or a controller. This command should ideally be run on the switch or controller that will use the private key to identify itself. The file \fIname\fR\fB\-req.pem\fR must be copied to the CA machine for signing with the \fBsign\fR command (below). This command will output a fingerprint to stdout as its final step. Write down the fingerprint and take it to the CA machine before continuing with the \fBsign\fR step. When RSA keys are in use (as is the default), \fBreq\fR, unlike the rest of \fBovs\-pki\fR's commands, does not need access to a PKI hierarchy created by \fBovs\-pki init\fR. The \fB\-B\fR or \fB\-\^\-bits\fR option (see below) may be used to specify the number of bits in the generated RSA key. When DSA keys are used (as specified with \fB\-\^\-key=dsa\fR), \fBreq\fR needs access to the \fBdsaparam.pem\fR file created as part of the PKI hierarchy (but not to other files in that tree). By default, \fBovs\-pki\fR looks for this file in \fB/var/lib/openvswitch/pki/dsaparam.pem\fR, but the \fB\-D\fR or \fB\-\^\-dsaparam\fR option (see below) may be used to specify an alternate location. \fIname\fR\fB\-privkey.pem\fR has sensitive contents that should not be exposed. \fIname\fR\fB\-req.pem\fR may be safely made public. .TP \fBsign\fR \fIname\fR [\fItype\fR] Signs the certificate request named \fIname\fR\fB\-req.pem\fR that was produced in the previous step, producing a certificate named \fIname\fR\fB\-cert.pem\fR. \fItype\fR, either \fBswitch\fR (default) or \fBcontroller\fR, indicates the use for which the key is being certified. This command must be run on the CA machine. The command will output a fingerprint to stdout and request that you verify that it is the same fingerprint output by the \fBreq\fR command. This ensures that the request being signed is the same one produced by \fBreq\fR. (The \fB\-b\fR or \fB\-\^\-batch\fR option suppresses the verification step.) The file \fIname\fR\fB\-cert.pem\fR will need to be copied back to the switch or controller for which it is intended. Its contents may safely be made public. .TP \fBreq+sign\fR \fIname\fR [\fItype\fR] Combines the \fBreq\fR and \fBsign\fR commands into a single step, outputting all the files produced by each. The \fIname\fR\fB\-privkey.pem\fR and \fIname\fR\fB\-cert.pem\fR files must be copied securely to the switch or controller. \fIname\fR\fB\-privkey.pem\fR has sensitive contents and must not be exposed in transit. Afterward, it should be deleted from the CA machine. This combined method is, theoretically, less secure than the individual steps performed separately on two different machines, because there is additional potential for exposure of the private key. However, it is also more convenient. .TP \fBverify\fR \fIname\fR [\fItype\fR] Verifies that \fIname\fR\fB\-cert.pem\fR is a valid certificate for the given \fItype\fR of use, either \fBswitch\fR (default) or \fBcontroller\fR. If the certificate is valid for this use, it prints the message ``\fIname\fR\fB\-cert.pem\fR: OK''; otherwise, it prints an error message. .TP \fBfingerprint\fR \fIfile\fR Prints the fingerprint for \fIfile\fR. If \fIfile\fR is a certificate, then this is the SHA\-1 digest of the DER encoded version of the certificate; otherwise, it is the SHA\-1 digest of the entire file. .TP \fBself\-sign\fR \fIname\fR Signs the certificate request named \fIname\fB\-req.pem\fR using the private key \fIname\fB\-privkey.pem\fR, producing a self-signed certificate named \fIname\fB\-cert.pem\fR. The input files should have been produced with \fBovs\-pki req\fR. Some controllers accept such self-signed certificates. .SH OPTIONS .IP "\fB\-k\fR \fItype\fR" .IQ "\fB\-\^\-key=\fItype\fR" For the \fBinit\fR command, sets the public key algorithm to use for the new PKI hierarchy. For the \fBreq\fR and \fBreq+sign\fR commands, sets the public key algorithm to use for the key to be generated, which must match the value specified on \fBinit\fR. With other commands, the value has no effect. The \fItype\fR may be \fBrsa\fR (the default) or \fBdsa\fR. .IP "\fB\-B\fR \fInbits\fR" .IQ "\fB\-\^\-bits=\fInbits\fR" Sets the number of bits in the key to be generated. When RSA keys are in use, this option affects only the \fBinit\fR, \fBreq\fR, and \fBreq+sign\fR commands, and the same value should be given each time. With DSA keys are in use, this option affects only the \fBinit\fR command. The value must be at least 1024. The default is 2048. .IP "\fB\-D\fR \fIfile\fR" .IQ "\fB\-\^\-dsaparam=\fIfile\fR" Specifies an alternate location for the \fBdsaparam.pem\fR file required by the \fBreq\fR and \fBreq+sign\fR commands. This option affects only these commands, and only when DSA keys are used. The default is \fBdsaparam.pem\fR under the PKI hierarchy. .IP "\fB\-b\fR" .IQ "\fB\-\^\-batch\fR" Suppresses the interactive verification of fingerprints that the \fBsign\fR command by default requires. .IP "\fB\-d\fR \fIdir\fR" .IQ "\fB\-\^\-dir=\fR\fIdir\fR" Specifies the location of the PKI hierarchy to be used or created by the command (default: \fB/var/lib/openvswitch/pki\fR). All commands, except \fBreq\fR, need access to a PKI hierarchy. .IP "\fB\-f\fR" .IQ "\fB\-\^\-force\fR" By default, \fBovs\-pki\fR will not overwrite existing files or directories. This option overrides this behavior. .IP "\fB\-l\fR \fIfile\fR" .IQ "\fB\-\^\-log=\fIfile\fR" Sets the log file to \fIfile\fR. Default: \fB/var/log/openvswitch/ovs\-pki.log\fR. .IP "\fB\-u\fR" .IQ "\fB\-\^\-unique\fR" Changes the format of the certificate's Common Name (CN) field; by default, this field has the format " id:", this option causes the provided name to be treated as unique and changes the format of the CN field to be simply "". .IP "\fB\-h\fR" .IQ "\fB\-\^\-help\fR" Prints a help usage message and exits.