Configuring SSL/TLS Support
SSL/TLS on an Open vSwitch switch is typically configured with the
ovs-vsctl set-ssl
privkey
sc-cert
cacert command.
This command is not supported, so the switch's TLS credentials
must be configured as follows:
-
To configure the private key, cut-and-paste a PEM-encoded private key.
% set tls privkey <cr>
<cut-and-paste sc-privkey-pk8.pem>
quit<cr>
Please enter PEM passphrase: ******
If the key is protected with a passphrase, you must enter the correct
passphrase for the key to be allowed. The switch stores an encrypted version of
the passphrase in non-volatile memory, so you never need to re-enter the
passphrase, even after rebooting.
-
To configure a switch certificate:
-
Load the certificate into a new pki-cert-list.
% set pki certificate sc-cert
<cut-and-paste sc-cert.pem>
quit<cr>
-
Configure TLS to use the certificate
contained in the new list as the switch certificate. This pki-cert-list must
only contain one certificate.
% set tls certificate sc-cert
-
Configure the controller CA certificate:
-
Load all CA certificates into a new
pki-cert-list.
% set pki certificate cacert
<cut-and-paste ca-cert.pem>
quit
Repeat preceding command for each CA certificate.
The ovs-pki application only generates a single CA certificate,
while other PKIs may generate a chain of certificates.
-
Configure TLS to use the certificate(s) contained in this list as the
controller CA list. Any controller presenting a certificate issued by
one of these CA certificates is trusted.
-
Verify that all three credentials are in place and that the switch's private
key matches the public key contained in the switch certificate by using the
show tls command:
% show tls
TLS Configuration Status : good
============================================================
Switch Private Key : <configured, passphrase protected>
Switch Certificate List : sc-cert
Peer CA Certificate List : cacert