.\" Man page generated from reStructuredText. . . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .TH "OVS-PKI" "8" "Apr 11, 2023" "3.1" "Open vSwitch" .SH NAME ovs-pki \- OpenFlow public key infrastructure management utility .SH SYNOPSIS .sp Each command takes the form: .sp \fBovs\-pki ...\fP .sp The implemented commands and their arguments are: .INDENT 0.0 .IP \(bu 2 \fBovs\-pki init\fP .IP \(bu 2 \fBovs\-pki req \fP .IP \(bu 2 \fBovs\-pki sign []\fP .IP \(bu 2 \fBovs\-pki req+sign []\fP .IP \(bu 2 \fBovs\-pki verify []\fP .IP \(bu 2 \fBovs\-pki fingerprint \fP .IP \(bu 2 \fBovs\-pki self\-sign \fP .UNINDENT .sp Each above is a certificate type, either \fBswitch\fP (default) or \fBcontroller\fP\&. .sp The available options are: .INDENT 0.0 .IP \(bu 2 \fB\-k \fP or \fB\-\-key=\fP .IP \(bu 2 \fB\-B \fP or \fB\-\-bits=\fP .IP \(bu 2 \fB\-D \fP or \fB\-\-dsaparam=\fP .IP \(bu 2 \fB\-b\fP or \fB\-\-batch\fP .IP \(bu 2 \fB\-f\fP or \fB\-\-force\fP .IP \(bu 2 \fB\-d \fP or \fB\-\-dir=\fP .IP \(bu 2 \fB\-l \fP or \fB\-\-log=\fP .IP \(bu 2 \fB\-u\fP or \fB\-\-unique\fP .IP \(bu 2 \fB\-h\fP or \fB\-\-help\fP .UNINDENT .SH DESCRIPTION .sp The \fBovs\-pki\fP program sets up and manages a public key infrastructure for use with OpenFlow. It is intended to be a simple interface for organizations that do not have an established public key infrastructure. Other PKI tools can substitute for or supplement the use of \fBovs\-pki\fP\&. .sp \fBovs\-pki\fP uses \fBopenssl(1)\fP for certificate management and key generation. .SH OFFLINE COMMANDS .sp The following \fBovs\-pki\fP commands support manual PKI administration: .INDENT 0.0 .IP \(bu 2 \fBinit\fP .sp Initializes a new PKI (by default in \fB/var/lib/openvswitch/pki\fP, although this default may be changed at Open vSwitch build time) and populates it with a pair of certificate authorities for controllers and switches. .sp This command should ideally be run on a high\-security machine separate from any OpenFlow controller or switch, called the CA machine. The files \fBpki/controllerca/cacert.pem\fP and \fBpki/switchca/cacert.pem\fP that it produces will need to be copied over to the OpenFlow switches and controllers, respectively. Their contents may safely be made public. .sp By default, \fBovs\-pki\fP generates 2048\-bit RSA keys. The \fB\-B\fP or \fB\-\-bits\fP option (see below) may be used to override the key length. The \fB\-k dsa\fP or \fB\-\-key=dsa\fP option may be used to use DSA in place of RSA. If DSA is selected, the \fBdsaparam.pem\fP file generated in the new PKI hierarchy must be copied to any machine on which the \fBreq\fP command (see below) will be executed. Its contents may safely be made public. .sp Other files generated by \fBinit\fP may remain on the CA machine. The files \fBpki/controllerca/private/cakey.pem\fP and \fBpki/switchca/private/cakey.pem\fP have particularly sensitive contents that should not be exposed. .IP \(bu 2 \fBreq \fP .sp Generates a new private key named \fB\-privkey.pem\fP and corresponding certificate request named \fB\-req.pem\fP\&. The private key can be intended for use by a switch or a controller. .sp This command should ideally be run on the switch or controller that will use the private key to identify itself. The file \fB\-req.pem\fP must be copied to the CA machine for signing with the \fBsign\fP command (below). .sp This command will output a fingerprint to stdout as its final step. Write down the fingerprint and take it to the CA machine before continuing with the \fBsign\fP step. .sp When RSA keys are in use (as is the default), \fBreq\fP, unlike the rest of the \fBovs\-pki\fP commands, does not need access to a PKI hierarchy created by \fBovs\-pki init\fP\&. The \fB\-B\fP or \fB\-\-bits\fP option (see below) may be used to specify the number of bits in the generated RSA key. .sp When DSA keys are used (as specified with \fB\-\-key=dsa\fP), \fBreq\fP needs access to the \fBdsaparam.pem\fP file created as part of the PKI hierarchy (but not to other files in that tree). By default, \fBovs\-pki\fP looks for this file in the PKI directory as \fBdsaparam.pem\fP, but the \fB\-D\fP or \fB\-\-dsaparam\fP option (see below) may be used to specify an alternate location. .sp \fB\-privkey.pem\fP has sensitive contents that should not be exposed. \fB\-req.pem\fP may be safely made public. .IP \(bu 2 \fBsign []\fP .sp Signs the certificate request named \fB\-req.pem\fP that was produced in the previous step, producing a certificate named \fB\-cert.pem\fP\&. , either \fBswitch\fP (default) or \fBcontroller\fP, indicates the use for which the key is being certified. .sp This command must be run on the CA machine. .sp The command will output a fingerprint to stdout and request that you verify that it is the same fingerprint output by the \fBreq\fP command. This ensures that the request being signed is the same one produced by \fBreq\fP\&. (The \fB\-b\fP or \fB\-\-batch\fP option suppresses the verification step.) .sp The file \fB\-cert.pem\fP will need to be copied back to the switch or controller for which it is intended. Its contents may safely be made public. .IP \(bu 2 \fBreq+sign []\fP .sp Combines the \fBreq\fP and \fBsign\fP commands into a single step, outputting all the files produced by each. The \fB\-privkey.pem\fP and \fB\-cert.pem\fP files must be copied securely to the switch or controller. \fB\-privkey.pem\fP has sensitive contents and must not be exposed in transit. Afterward, it should be deleted from the CA machine. .sp This combined method is, theoretically, less secure than the individual steps performed separately on two different machines, because there is additional potential for exposure of the private key. However, it is also more convenient. .IP \(bu 2 \fBverify []\fP .sp Verifies that \fB\-cert.pem\fP is a valid certificate for the given of use, either \fBswitch\fP (default) or \fBcontroller\fP\&. If the certificate is valid for this use, it prints the message \fB\-cert.pem: OK\fP; otherwise, it prints an error message. .IP \(bu 2 \fBfingerprint \fP .sp Prints the fingerprint for . If is a certificate, then this is the SHA\-1 digest of the DER encoded version of the certificate; otherwise, it is the SHA\-1 digest of the entire file. .IP \(bu 2 \fBself\-sign \fP .sp Signs the certificate request named \fB\-req.pem\fP using the private key \fB\-privkey.pem\fP, producing a self\-signed certificate named \fB\-cert.pem\fP\&. The input files should have been produced with \fBovs\-pki req\fP\&. .sp Some controllers accept such self\-signed certificates. .UNINDENT .SH OPTIONS .INDENT 0.0 .IP \(bu 2 \fB\-k \fP or \fB\-\-key=\fP .sp For the \fBinit\fP command, sets the public key algorithm to use for the new PKI hierarchy. For the \fBreq\fP and \fBreq+sign\fP commands, sets the public key algorithm to use for the key to be generated, which must match the value specified on \fBinit\fP\&. With other commands, the value has no effect. .sp The may be \fBrsa\fP (the default) or \fBdsa\fP\&. .IP \(bu 2 \fB\-B \fP or \fB\-\-bits=\fP .sp Sets the number of bits in the key to be generated. When RSA keys are in use, this option affects only the \fBinit\fP, \fBreq\fP, and \fBreq+sign\fP commands, and the same value should be given each time. With DSA keys are in use, this option affects only the \fBinit\fP command. .sp The value must be at least 1024. The default is 2048. .IP \(bu 2 \fB\-D \fP or \fB\-\-dsaparam=\fP .sp Specifies an alternate location for the \fBdsaparam.pem\fP file required by the \fBreq\fP and \fBreq+sign\fP commands. This option affects only these commands, and only when DSA keys are used. .sp The default is \fBdsaparam.pem\fP under the PKI hierarchy. .IP \(bu 2 \fB\-b\fP or \fB\-\-batch\fP .sp Suppresses the interactive verification of fingerprints that the \fBsign\fP command by default requires. .IP \(bu 2 \fB\-d \fP or \fB\-\-dir=\fP .sp Specifies the location of the PKI hierarchy to be used or created by the command. All commands, except \fBreq\fP, need access to a PKI hierarchy. .sp The default PKI hierarchy is \fB/var/lib/openvswitch/pki\fP, although this default may be changed at Open vSwitch build time .IP \(bu 2 \fB\-f\fP or \fB\-\-force\fP .sp By default, \fBovs\-pki\fP will not overwrite existing files or directories. This option overrides this behavior. .IP \(bu 2 \fB\-l \fP or \fB\-\-log=\fP .sp Sets the log file to . The default is \fBovs\-pki.log\fP in the OVS log directory. The default OVS log directory is \fB/var/log/openvswitch\fP, although this default may be changed at Open vSwitch build time. .IP \(bu 2 \fB\-u\fP or \fB\-\-unique\fP .sp Changes the format of the certificate’s Common Name (CN) field. By default, this field has the format \fB id:\fP\&. This option causes the provided name to be treated as unique and changes the format of the CN field to be simply \fB\fP\&. .IP \(bu 2 \fB\-h\fP or \fB\-\-help\fP .sp Prints a help usage message and exits. .UNINDENT .SH AUTHOR The Open vSwitch Development Community .SH COPYRIGHT 2016-2023, The Open vSwitch Development Community .\" Generated by docutils manpage writer. .