Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ovs-pki(8)		      Open vSwitch Manual		    ovs-pki(8)

       ovs-pki - OpenFlow public key infrastructure management utility

       Each command takes the form:

       ovs-pki [options] command [args]

       The implemented commands	and their arguments are:
       ovs-pki init
       ovs-pki req name
       ovs-pki sign name [type]
       ovs-pki req+sign	name [type]
       ovs-pki verify name [type]
       ovs-pki fingerprint file
       ovs-pki self-sign name

       Each  type above	is a certificate type, either switch (default) or con-

       The available options are:
       [-k type	| --key=type]
       [-B nbits | --bits=nbits]
       [-D file	| --dsaparam=file]
       [-b | --batch]
       [-f | --force]
       [-d dir | --dir=dir]
       [-l file	| --log=file]
       [-h | --help]

       Some options do not apply to every command.

       The ovs-pki program sets	up and manages a public	key infrastructure for
       use with	OpenFlow.  It is intended to be	a simple interface for organi-
       zations that do not have	 an  established  public  key  infrastructure.
       Other PKI tools can substitute for or supplement	the use	of ovs-pki.

       ovs-pki uses openssl(1) for certificate management and key generation.

       The following ovs-pki commands support manual PKI administration:

       init   Initializes  a  new  PKI (by default in directory	/var/lib/open-
	      vswitch/pki) and populates it with a pair	of certificate author-
	      ities for	controllers and	switches.

	      This  command  should  ideally be	run on a high-security machine
	      separate from any	OpenFlow controller or switch, called  the  CA
	      machine.	    The	   files    pki/controllerca/cacert.pem	   and
	      pki/switchca/cacert.pem that it produces will need to be	copied
	      over  to	the  OpenFlow  switches	and controllers, respectively.
	      Their contents may safely	be made	public.

	      By default, ovs-pki generates 2048-bit  RSA  keys.   The	-B  or
	      --bits  option  (see  below)  may	 be  used  to override the key
	      length.  The -k dsa or --key=dsa option may be used to  use  DSA
	      in place of RSA.	If DSA is selected, the	dsaparam.pem file gen-
	      erated in	the new	PKI hierarchy must be copied to	any machine on
	      which  the  req  command (see below) will	be executed.  Its con-
	      tents may	safely be made public.

	      Other files generated by init may	remain on the CA machine.  The
	      files  pki/controllerca/private/cakey.pem	 and pki/switchca/pri-
	      vate/cakey.pem have particularly sensitive contents that	should
	      not be exposed.

       req name
	      Generates	 a  new	 private key named name-privkey.pem and	corre-
	      sponding certificate request named  name-req.pem.	  The  private
	      key can be intended for use by a switch or a controller.

	      This  command  should ideally be run on the switch or controller
	      that will	use the	private	key  to	 identify  itself.   The  file
	      name-req.pem  must  be copied to the CA machine for signing with
	      the sign command (below).

	      This command will	output a fingerprint to	stdout	as  its	 final
	      step.   Write down the fingerprint and take it to	the CA machine
	      before continuing	with the sign step.

	      When RSA keys are	in use (as is the default),  req,  unlike  the
	      rest  of ovs-pki's commands, does	not need access	to a PKI hier-
	      archy created by ovs-pki init.  The -B or	--bits option (see be-
	      low)  may	be used	to specify the number of bits in the generated
	      RSA key.

	      When DSA keys are	used (as specified with	--key=dsa), req	 needs
	      access to	the dsaparam.pem file created as part of the PKI hier-
	      archy (but not to	 other	files  in  that	 tree).	  By  default,
	      ovs-pki	  looks	   for	  this	  file	  in	/var/lib/open-
	      vswitch/pki/dsaparam.pem,	but the	-D or --dsaparam  option  (see
	      below) may be used to specify an alternate location.

	      name-privkey.pem	has  sensitive contents	that should not	be ex-
	      posed.  name-req.pem may be safely made public.

       sign name [type]
	      Signs the	certificate request named name-req.pem that  was  pro-
	      duced  in	 the  previous	step,  producing  a  certificate named
	      name-cert.pem.  type, either switch (default) or controller, in-
	      dicates the use for which	the key	is being certified.

	      This command must	be run on the CA machine.

	      The command will output a	fingerprint to stdout and request that
	      you verify that it is the	same fingerprint  output  by  the  req
	      command.	This ensures that the request being signed is the same
	      one produced by req.  (The -b or --batch option  suppresses  the
	      verification step.)

	      The file name-cert.pem will need to be copied back to the	switch
	      or controller for	which it is intended.  Its contents may	safely
	      be made public.

       req+sign	name [type]
	      Combines	the  req  and  sign  commands into a single step, out-
	      putting all the files produced by	 each.	 The  name-privkey.pem
	      and name-cert.pem	files must be copied securely to the switch or
	      controller.  name-privkey.pem has	sensitive  contents  and  must
	      not be exposed in	transit.  Afterward, it	should be deleted from
	      the CA machine.

	      This combined method is, theoretically, less secure than the in-
	      dividual	steps  performed separately on two different machines,
	      because there is additional potential for	exposure of  the  pri-
	      vate key.	 However, it is	also more convenient.

       verify name [type]
	      Verifies that name-cert.pem is a valid certificate for the given
	      type of use, either switch (default) or controller.  If the cer-
	      tificate	 is   valid  for  this	use,  it  prints  the  message
	      ``name-cert.pem: OK''; otherwise,	it prints an error message.

       fingerprint file
	      Prints the fingerprint for file.	If file	is a certificate, then
	      this  is the SHA-1 digest	of the DER encoded version of the cer-
	      tificate;	otherwise, it is the SHA-1 digest of the entire	file.

       self-sign name
	      Signs the	certificate request named name-req.pem using the  pri-
	      vate  key	 name-privkey.pem, producing a self-signed certificate
	      named name-cert.pem.  The	input files should have	been  produced
	      with ovs-pki req.

	      Some controllers accept such self-signed certificates.

       -k type
	      For  the	init command, sets the public key algorithm to use for
	      the new PKI hierarchy.  For the req and req+sign commands,  sets
	      the  public  key	algorithm  to use for the key to be generated,
	      which must match the value specified on init.  With  other  com-
	      mands, the value has no effect.

	      The type may be rsa (the default)	or dsa.

       -B nbits
	      Sets  the	 number	 of bits in the	key to be generated.  When RSA
	      keys are in use, this option affects only	 the  init,  req,  and
	      req+sign commands, and the same value should be given each time.
	      With DSA keys are	in use,	this option affects only the init com-

	      The value	must be	at least 1024.	The default is 2048.

       -D file
	      Specifies	 an  alternate	location for the dsaparam.pem file re-
	      quired by	the req	and req+sign commands.	 This  option  affects
	      only these commands, and only when DSA keys are used.

	      The default is dsaparam.pem under	the PKI	hierarchy.

	      Suppresses the interactive verification of fingerprints that the
	      sign command by default requires.

       -d dir
	      Specifies	the location of	the PKI	hierarchy to be	used  or  cre-
	      ated  by	the  command (default: /var/lib/openvswitch/pki).  All
	      commands,	except req, need access	to a PKI hierarchy.

	      By default, ovs-pki will not overwrite existing files or	direc-
	      tories.  This option overrides this behavior.

       -l file
	      Sets   the   log	 file	to   file.    Default:	/var/log/open-

       --help Prints a help usage message and exits.

Open vSwitch			     2.3.3			    ovs-pki(8)


Want to link to this manual page? Use this URL:

home | help