Provided by: openvswitch-common_3.1.0-1ubuntu1_amd64 bug

NAME

       ovs-pki - OpenFlow public key infrastructure management utility

SYNOPSIS

       Each command takes the form:

       ovs-pki <options> <command> <args>...

       The implemented commands and their arguments are:

       • ovs-pki initovs-pki req <name>ovs-pki sign <name> [<type>]ovs-pki req+sign <name> [<type>]ovs-pki verify <name> [<type>]ovs-pki fingerprint <file>ovs-pki self-sign <name>

       Each <type> above is a certificate type, either switch (default) or controller.

       The available options are:

       • -k <type> or --key=<type>-B <nbits> or --bits=<nbits>-D <file> or --dsaparam=<file>-b or --batch-f or --force-d <dir> or --dir=<dir>-l <file> or --log=<file>-u or --unique-h or --help

DESCRIPTION

       The ovs-pki program sets up and manages a public key infrastructure for use with OpenFlow.
       It is intended to be a simple interface for organizations that do not have an  established
       public  key  infrastructure.   Other PKI tools can substitute for or supplement the use of
       ovs-pki.

       ovs-pki uses openssl(1) for certificate management and key generation.

OFFLINE COMMANDS

       The following ovs-pki commands support manual PKI administration:

       • init

         Initializes a new PKI (by default in /var/lib/openvswitch/pki, although this default may
         be  changed  at  Open  vSwitch  build  time) and populates it with a pair of certificate
         authorities for controllers and switches.

         This command should ideally be run on a high-security machine separate from any OpenFlow
         controller  or switch, called the CA machine.  The files pki/controllerca/cacert.pem and
         pki/switchca/cacert.pem that it produces will need to be copied  over  to  the  OpenFlow
         switches and controllers, respectively.  Their contents may safely be made public.

         By  default,  ovs-pki  generates 2048-bit RSA keys.  The -B or --bits option (see below)
         may be used to override the key length.  The -k dsa or --key=dsa option may be  used  to
         use DSA in place of RSA.  If DSA is selected, the dsaparam.pem file generated in the new
         PKI hierarchy must be copied to any machine on which the req command (see below) will be
         executed.  Its contents may safely be made public.

         Other   files   generated   by   init   may   remain  on  the  CA  machine.   The  files
         pki/controllerca/private/cakey.pem and pki/switchca/private/cakey.pem have  particularly
         sensitive contents that should not be exposed.

       • req <name>

         Generates  a  new  private  key  named  <name>-privkey.pem and corresponding certificate
         request named <name>-req.pem.  The private key can be intended for use by a switch or  a
         controller.

         This command should ideally be run on the switch or controller that will use the private
         key to identify itself.  The file <name>-req.pem must be copied to the  CA  machine  for
         signing with the sign command (below).

         This  command  will  output  a  fingerprint to stdout as its final step.  Write down the
         fingerprint and take it to the CA machine before continuing with the sign step.

         When RSA keys are in use (as is the default),  req,  unlike  the  rest  of  the  ovs-pki
         commands,  does  not  need access to a PKI hierarchy created by ovs-pki init.  The -B or
         --bits option (see below) may be used to specify the number of bits in the generated RSA
         key.

         When  DSA  keys  are  used  (as  specified  with  --key=dsa),  req  needs  access to the
         dsaparam.pem file created as part of the PKI hierarchy (but not to other files  in  that
         tree).   By  default,  ovs-pki looks for this file in the PKI directory as dsaparam.pem,
         but the -D or --dsaparam option  (see  below)  may  be  used  to  specify  an  alternate
         location.

         <name>-privkey.pem  has  sensitive  contents that should not be exposed.  <name>-req.pem
         may be safely made public.

       • sign <name> [<type>]

         Signs the certificate request named <name>-req.pem that was  produced  in  the  previous
         step, producing a certificate named <name>-cert.pem.  <type>, either switch (default) or
         controller, indicates the use for which the key is being certified.

         This command must be run on the CA machine.

         The command will output a fingerprint to stdout and request that you verify that  it  is
         the  same  fingerprint  output  by the req command.  This ensures that the request being
         signed is the same one produced by req.   (The  -b  or  --batch  option  suppresses  the
         verification step.)

         The  file  <name>-cert.pem  will  need to be copied back to the switch or controller for
         which it is intended.  Its contents may safely be made public.

       • req+sign <name> [<type>]

         Combines the req and sign commands into a single step, outputting all the files produced
         by  each.   The  <name>-privkey.pem and <name>-cert.pem files must be copied securely to
         the switch or controller.  <name>-privkey.pem has sensitive contents  and  must  not  be
         exposed in transit.  Afterward, it should be deleted from the CA machine.

         This  combined method is, theoretically, less secure than the individual steps performed
         separately on two different machines, because there is additional potential for exposure
         of the private key.  However, it is also more convenient.

       • verify <name> [<type>]

         Verifies that <name>-cert.pem is a valid certificate for the given <type> of use, either
         switch (default) or controller.  If the certificate is valid for this use, it prints the
         message <name>-cert.pem: OK; otherwise, it prints an error message.

       • fingerprint <file>

         Prints  the  fingerprint for <file>.  If <file> is a certificate, then this is the SHA-1
         digest of the DER encoded version of the certificate; otherwise, it is the SHA-1  digest
         of the entire file.

       • self-sign <name>

         Signs   the   certificate   request   named   <name>-req.pem   using   the  private  key
         <name>-privkey.pem, producing a  self-signed  certificate  named  <name>-cert.pem.   The
         input files should have been produced with ovs-pki req.

         Some controllers accept such self-signed certificates.

OPTIONS

-k <type> or --key=<type>

         For  the  init  command, sets the public key algorithm to use for the new PKI hierarchy.
         For the req and req+sign commands, sets the public key algorithm to use for the  key  to
         be  generated,  which  must match the value specified on init.  With other commands, the
         value has no effect.

         The <type> may be rsa (the default) or dsa.

       • -B <nbits> or --bits=<nbits>

         Sets the number of bits in the key to be generated.  When RSA  keys  are  in  use,  this
         option  affects  only the init, req, and req+sign commands, and the same value should be
         given each time.  With DSA keys are in use, this option affects only the init command.

         The value must be at least 1024.  The default is 2048.

       • -D <file> or --dsaparam=<file>

         Specifies an alternate location for the  dsaparam.pem  file  required  by  the  req  and
         req+sign  commands.  This option affects only these commands, and only when DSA keys are
         used.

         The default is dsaparam.pem under the PKI hierarchy.

       • -b or --batch

         Suppresses the interactive verification of fingerprints that the sign command by default
         requires.

       • -d <dir> or --dir=<dir>

         Specifies  the  location of the PKI hierarchy to be used or created by the command.  All
         commands, except req, need access to a PKI hierarchy.

         The default PKI hierarchy is /var/lib/openvswitch/pki,  although  this  default  may  be
         changed at Open vSwitch build time

       • -f or --force

         By  default,  ovs-pki  will  not  overwrite  existing files or directories.  This option
         overrides this behavior.

       • -l <file> or --log=<file>

         Sets the log file to <file>.  The default is ovs-pki.log in the OVS log directory.   The
         default  OVS log directory is /var/log/openvswitch, although this default may be changed
         at Open vSwitch build time.

       • -u or --unique

         Changes the format of the certificate’s Common Name (CN) field.  By default, this  field
         has  the  format  <name>  id:<uuid-or-date>.  This option causes the provided name to be
         treated as unique and changes the format of the CN field to be simply <name>.

       • -h or --help

         Prints a help usage message and exits.

AUTHOR

       The Open vSwitch Development Community

COPYRIGHT

       2016-2023, The Open vSwitch Development Community