1OVS-PKI(8) Open vSwitch OVS-PKI(8)
2
3
4
6 ovs-pki - OpenFlow public key infrastructure management utility
7
9 Each command takes the form:
10
11 ovs-pki <options> <command> <args>...
12
13 The implemented commands and their arguments are:
14
15 • ovs-pki init
16
17 • ovs-pki req <name>
18
19 • ovs-pki sign <name> [<type>]
20
21 • ovs-pki req+sign <name> [<type>]
22
23 • ovs-pki verify <name> [<type>]
24
25 • ovs-pki fingerprint <file>
26
27 • ovs-pki self-sign <name>
28
29 Each <type> above is a certificate type, either switch (default) or
30 controller.
31
32 The available options are:
33
34 • -k <type> or --key=<type>
35
36 • -B <nbits> or --bits=<nbits>
37
38 • -D <file> or --dsaparam=<file>
39
40 • -b or --batch
41
42 • -f or --force
43
44 • -d <dir> or --dir=<dir>
45
46 • -l <file> or --log=<file>
47
48 • -u or --unique
49
50 • -h or --help
51
53 The ovs-pki program sets up and manages a public key infrastructure for
54 use with OpenFlow. It is intended to be a simple interface for organi‐
55 zations that do not have an established public key infrastructure.
56 Other PKI tools can substitute for or supplement the use of ovs-pki.
57
58 ovs-pki uses openssl(1) for certificate management and key generation.
59
61 The following ovs-pki commands support manual PKI administration:
62
63 • init
64
65 Initializes a new PKI (by default in /var/lib/openvswitch/pki, al‐
66 though this default may be changed at Open vSwitch build time) and
67 populates it with a pair of certificate authorities for controllers
68 and switches.
69
70 This command should ideally be run on a high-security machine sepa‐
71 rate from any OpenFlow controller or switch, called the CA machine.
72 The files pki/controllerca/cacert.pem and pki/switchca/cacert.pem
73 that it produces will need to be copied over to the OpenFlow switches
74 and controllers, respectively. Their contents may safely be made
75 public.
76
77 By default, ovs-pki generates 2048-bit RSA keys. The -B or --bits
78 option (see below) may be used to override the key length. The -k
79 dsa or --key=dsa option may be used to use DSA in place of RSA. If
80 DSA is selected, the dsaparam.pem file generated in the new PKI hier‐
81 archy must be copied to any machine on which the req command (see be‐
82 low) will be executed. Its contents may safely be made public.
83
84 Other files generated by init may remain on the CA machine. The
85 files pki/controllerca/private/cakey.pem and pki/switchca/pri‐
86 vate/cakey.pem have particularly sensitive contents that should not
87 be exposed.
88
89 • req <name>
90
91 Generates a new private key named <name>-privkey.pem and correspond‐
92 ing certificate request named <name>-req.pem. The private key can be
93 intended for use by a switch or a controller.
94
95 This command should ideally be run on the switch or controller that
96 will use the private key to identify itself. The file <name>-req.pem
97 must be copied to the CA machine for signing with the sign command
98 (below).
99
100 This command will output a fingerprint to stdout as its final step.
101 Write down the fingerprint and take it to the CA machine before con‐
102 tinuing with the sign step.
103
104 When RSA keys are in use (as is the default), req, unlike the rest of
105 the ovs-pki commands, does not need access to a PKI hierarchy created
106 by ovs-pki init. The -B or --bits option (see below) may be used to
107 specify the number of bits in the generated RSA key.
108
109 When DSA keys are used (as specified with --key=dsa), req needs ac‐
110 cess to the dsaparam.pem file created as part of the PKI hierarchy
111 (but not to other files in that tree). By default, ovs-pki looks for
112 this file in the PKI directory as dsaparam.pem, but the -D or
113 --dsaparam option (see below) may be used to specify an alternate lo‐
114 cation.
115
116 <name>-privkey.pem has sensitive contents that should not be exposed.
117 <name>-req.pem may be safely made public.
118
119 • sign <name> [<type>]
120
121 Signs the certificate request named <name>-req.pem that was produced
122 in the previous step, producing a certificate named <name>-cert.pem.
123 <type>, either switch (default) or controller, indicates the use for
124 which the key is being certified.
125
126 This command must be run on the CA machine.
127
128 The command will output a fingerprint to stdout and request that you
129 verify that it is the same fingerprint output by the req command.
130 This ensures that the request being signed is the same one produced
131 by req. (The -b or --batch option suppresses the verification step.)
132
133 The file <name>-cert.pem will need to be copied back to the switch or
134 controller for which it is intended. Its contents may safely be made
135 public.
136
137 • req+sign <name> [<type>]
138
139 Combines the req and sign commands into a single step, outputting all
140 the files produced by each. The <name>-privkey.pem and
141 <name>-cert.pem files must be copied securely to the switch or con‐
142 troller. <name>-privkey.pem has sensitive contents and must not be
143 exposed in transit. Afterward, it should be deleted from the CA ma‐
144 chine.
145
146 This combined method is, theoretically, less secure than the individ‐
147 ual steps performed separately on two different machines, because
148 there is additional potential for exposure of the private key. How‐
149 ever, it is also more convenient.
150
151 • verify <name> [<type>]
152
153 Verifies that <name>-cert.pem is a valid certificate for the given
154 <type> of use, either switch (default) or controller. If the cer‐
155 tificate is valid for this use, it prints the message
156 <name>-cert.pem: OK; otherwise, it prints an error message.
157
158 • fingerprint <file>
159
160 Prints the fingerprint for <file>. If <file> is a certificate, then
161 this is the SHA-1 digest of the DER encoded version of the certifi‐
162 cate; otherwise, it is the SHA-1 digest of the entire file.
163
164 • self-sign <name>
165
166 Signs the certificate request named <name>-req.pem using the private
167 key <name>-privkey.pem, producing a self-signed certificate named
168 <name>-cert.pem. The input files should have been produced with
169 ovs-pki req.
170
171 Some controllers accept such self-signed certificates.
172
174 • -k <type> or --key=<type>
175
176 For the init command, sets the public key algorithm to use for the
177 new PKI hierarchy. For the req and req+sign commands, sets the pub‐
178 lic key algorithm to use for the key to be generated, which must
179 match the value specified on init. With other commands, the value
180 has no effect.
181
182 The <type> may be rsa (the default) or dsa.
183
184 • -B <nbits> or --bits=<nbits>
185
186 Sets the number of bits in the key to be generated. When RSA keys
187 are in use, this option affects only the init, req, and req+sign com‐
188 mands, and the same value should be given each time. With DSA keys
189 are in use, this option affects only the init command.
190
191 The value must be at least 1024. The default is 2048.
192
193 • -D <file> or --dsaparam=<file>
194
195 Specifies an alternate location for the dsaparam.pem file required by
196 the req and req+sign commands. This option affects only these com‐
197 mands, and only when DSA keys are used.
198
199 The default is dsaparam.pem under the PKI hierarchy.
200
201 • -b or --batch
202
203 Suppresses the interactive verification of fingerprints that the sign
204 command by default requires.
205
206 • -d <dir> or --dir=<dir>
207
208 Specifies the location of the PKI hierarchy to be used or created by
209 the command. All commands, except req, need access to a PKI hierar‐
210 chy.
211
212 The default PKI hierarchy is /var/lib/openvswitch/pki, although this
213 default may be changed at Open vSwitch build time
214
215 • -f or --force
216
217 By default, ovs-pki will not overwrite existing files or directories.
218 This option overrides this behavior.
219
220 • -l <file> or --log=<file>
221
222 Sets the log file to <file>. The default is ovs-pki.log in the OVS
223 log directory. The default OVS log directory is /var/log/open‐
224 vswitch, although this default may be changed at Open vSwitch build
225 time.
226
227 • -u or --unique
228
229 Changes the format of the certificate’s Common Name (CN) field. By
230 default, this field has the format <name> id:<uuid-or-date>. This
231 option causes the provided name to be treated as unique and changes
232 the format of the CN field to be simply <name>.
233
234 • -h or --help
235
236 Prints a help usage message and exits.
237
239 The Open vSwitch Development Community
240
242 2021, The Open vSwitch Development Community
243
244
245
246
2472.15 Feb 21, 2021 OVS-PKI(8)