1OVS-PKI(8)                       Open vSwitch                       OVS-PKI(8)
2
3
4

NAME

6       ovs-pki - OpenFlow public key infrastructure management utility
7

SYNOPSIS

9       Each command takes the form:
10
11       ovs-pki <options> <command> <args>...
12
13       The implemented commands and their arguments are:
14
15ovs-pki init
16
17ovs-pki req <name>
18
19ovs-pki sign <name> [<type>]
20
21ovs-pki req+sign <name> [<type>]
22
23ovs-pki verify <name> [<type>]
24
25ovs-pki fingerprint <file>
26
27ovs-pki self-sign <name>
28
29       Each  <type>  above  is  a certificate type, either switch (default) or
30       controller.
31
32       The available options are:
33
34-k <type> or --key=<type>
35
36-B <nbits> or --bits=<nbits>
37
38-D <file> or --dsaparam=<file>
39
40-b or --batch
41
42-f or --force
43
44-d <dir> or --dir=<dir>
45
46-l <file> or --log=<file>
47
48-u or --unique
49
50-h or --help
51

DESCRIPTION

53       The ovs-pki program sets up and manages a public key infrastructure for
54       use with OpenFlow.  It is intended to be a simple interface for organi‐
55       zations that do not have  an  established  public  key  infrastructure.
56       Other PKI tools can substitute for or supplement the use of ovs-pki.
57
58       ovs-pki uses openssl(1) for certificate management and key generation.
59

OFFLINE COMMANDS

61       The following ovs-pki commands support manual PKI administration:
62
63init
64
65         Initializes  a  new  PKI (by default in /var/lib/openvswitch/pki, al‐
66         though this default may be changed at Open vSwitch  build  time)  and
67         populates  it  with a pair of certificate authorities for controllers
68         and switches.
69
70         This command should ideally be run on a high-security  machine  sepa‐
71         rate  from  any OpenFlow controller or switch, called the CA machine.
72         The  files  pki/controllerca/cacert.pem  and  pki/switchca/cacert.pem
73         that it produces will need to be copied over to the OpenFlow switches
74         and controllers, respectively.  Their contents  may  safely  be  made
75         public.
76
77         By  default,  ovs-pki  generates 2048-bit RSA keys.  The -B or --bits
78         option (see below) may be used to override the key  length.   The  -k
79         dsa  or  --key=dsa option may be used to use DSA in place of RSA.  If
80         DSA is selected, the dsaparam.pem file generated in the new PKI hier‐
81         archy must be copied to any machine on which the req command (see be‐
82         low) will be executed.  Its contents may safely be made public.
83
84         Other files generated by init may remain  on  the  CA  machine.   The
85         files    pki/controllerca/private/cakey.pem   and   pki/switchca/pri‐
86         vate/cakey.pem have particularly sensitive contents that  should  not
87         be exposed.
88
89req <name>
90
91         Generates  a new private key named <name>-privkey.pem and correspond‐
92         ing certificate request named <name>-req.pem.  The private key can be
93         intended for use by a switch or a controller.
94
95         This  command  should ideally be run on the switch or controller that
96         will use the private key to identify itself.  The file <name>-req.pem
97         must  be  copied  to the CA machine for signing with the sign command
98         (below).
99
100         This command will output a fingerprint to stdout as its  final  step.
101         Write  down the fingerprint and take it to the CA machine before con‐
102         tinuing with the sign step.
103
104         When RSA keys are in use (as is the default), req, unlike the rest of
105         the ovs-pki commands, does not need access to a PKI hierarchy created
106         by ovs-pki init.  The -B or --bits option (see below) may be used  to
107         specify the number of bits in the generated RSA key.
108
109         When  DSA  keys are used (as specified with --key=dsa), req needs ac‐
110         cess to the dsaparam.pem file created as part of  the  PKI  hierarchy
111         (but not to other files in that tree).  By default, ovs-pki looks for
112         this file in the  PKI  directory  as  dsaparam.pem,  but  the  -D  or
113         --dsaparam option (see below) may be used to specify an alternate lo‐
114         cation.
115
116         <name>-privkey.pem has sensitive contents that should not be exposed.
117         <name>-req.pem may be safely made public.
118
119sign <name> [<type>]
120
121         Signs  the certificate request named <name>-req.pem that was produced
122         in the previous step, producing a certificate named  <name>-cert.pem.
123         <type>,  either switch (default) or controller, indicates the use for
124         which the key is being certified.
125
126         This command must be run on the CA machine.
127
128         The command will output a fingerprint to stdout and request that  you
129         verify  that  it  is  the same fingerprint output by the req command.
130         This ensures that the request being signed is the same  one  produced
131         by req.  (The -b or --batch option suppresses the verification step.)
132
133         The file <name>-cert.pem will need to be copied back to the switch or
134         controller for which it is intended.  Its contents may safely be made
135         public.
136
137req+sign <name> [<type>]
138
139         Combines the req and sign commands into a single step, outputting all
140         the   files   produced   by   each.    The   <name>-privkey.pem   and
141         <name>-cert.pem  files  must be copied securely to the switch or con‐
142         troller.  <name>-privkey.pem has sensitive contents and must  not  be
143         exposed  in transit.  Afterward, it should be deleted from the CA ma‐
144         chine.
145
146         This combined method is, theoretically, less secure than the individ‐
147         ual  steps  performed  separately  on two different machines, because
148         there is additional potential for exposure of the private key.   How‐
149         ever, it is also more convenient.
150
151verify <name> [<type>]
152
153         Verifies  that  <name>-cert.pem  is a valid certificate for the given
154         <type> of use, either switch (default) or controller.   If  the  cer‐
155         tificate   is   valid   for   this   use,   it   prints  the  message
156         <name>-cert.pem: OK; otherwise, it prints an error message.
157
158fingerprint <file>
159
160         Prints the fingerprint for <file>.  If <file> is a certificate,  then
161         this  is  the SHA-1 digest of the DER encoded version of the certifi‐
162         cate; otherwise, it is the SHA-1 digest of the entire file.
163
164self-sign <name>
165
166         Signs the certificate request named <name>-req.pem using the  private
167         key  <name>-privkey.pem,  producing  a  self-signed certificate named
168         <name>-cert.pem.  The input files  should  have  been  produced  with
169         ovs-pki req.
170
171         Some controllers accept such self-signed certificates.
172

OPTIONS

174-k <type> or --key=<type>
175
176         For  the  init  command, sets the public key algorithm to use for the
177         new PKI hierarchy.  For the req and req+sign commands, sets the  pub‐
178         lic  key  algorithm  to  use  for the key to be generated, which must
179         match the value specified on init.  With other  commands,  the  value
180         has no effect.
181
182         The <type> may be rsa (the default) or dsa.
183
184-B <nbits> or --bits=<nbits>
185
186         Sets  the  number  of bits in the key to be generated.  When RSA keys
187         are in use, this option affects only the init, req, and req+sign com‐
188         mands,  and  the same value should be given each time.  With DSA keys
189         are in use, this option affects only the init command.
190
191         The value must be at least 1024.  The default is 2048.
192
193-D <file> or --dsaparam=<file>
194
195         Specifies an alternate location for the dsaparam.pem file required by
196         the  req  and req+sign commands.  This option affects only these com‐
197         mands, and only when DSA keys are used.
198
199         The default is dsaparam.pem under the PKI hierarchy.
200
201-b or --batch
202
203         Suppresses the interactive verification of fingerprints that the sign
204         command by default requires.
205
206-d <dir> or --dir=<dir>
207
208         Specifies  the location of the PKI hierarchy to be used or created by
209         the command.  All commands, except req, need access to a PKI  hierar‐
210         chy.
211
212         The  default PKI hierarchy is /var/lib/openvswitch/pki, although this
213         default may be changed at Open vSwitch build time
214
215-f or --force
216
217         By default, ovs-pki will not overwrite existing files or directories.
218         This option overrides this behavior.
219
220-l <file> or --log=<file>
221
222         Sets  the  log file to <file>.  The default is ovs-pki.log in the OVS
223         log directory.  The  default  OVS  log  directory  is  /var/log/open‐
224         vswitch,  although  this default may be changed at Open vSwitch build
225         time.
226
227-u or --unique
228
229         Changes the format of the certificate’s Common Name (CN)  field.   By
230         default,  this  field  has the format <name> id:<uuid-or-date>.  This
231         option causes the provided name to be treated as unique  and  changes
232         the format of the CN field to be simply <name>.
233
234-h or --help
235
236         Prints a help usage message and exits.
237

AUTHOR

239       The Open vSwitch Development Community
240
242       2021, The Open vSwitch Development Community
243
244
245
246
2472.15                             Feb 21, 2021                       OVS-PKI(8)
Impressum