Configuring SSL/TLS Support

SSL/TLS on an Open vSwitch switch is typically configured with the ovs-vsctl set-ssl privkey sc-cert cacert command.

This command is not supported, so the switch's TLS credentials must be configured as follows:

  1. To configure the private key, cut-and-paste a PEM-encoded private key.
    % set tls privkey <cr>
    <cut-and-paste sc-privkey-pk8.pem>
    quit<cr>
    Please enter PEM passphrase: ******
    If the key is protected with a passphrase, you must enter the correct passphrase for the key to be allowed. The switch stores an encrypted version of the passphrase in non-volatile memory, so you never need to re-enter the passphrase, even after rebooting.
  2. To configure a switch certificate:
    1. Load the certificate into a new pki-cert-list.
      % set pki certificate sc-cert 
      <cut-and-paste sc-cert.pem>
      quit<cr>
    2. Configure TLS to use the certificate contained in the new list as the switch certificate. This pki-cert-list must only contain one certificate.
      % set tls certificate sc-cert
  3. Configure the controller CA certificate:
    1. Load all CA certificates into a new pki-cert-list.
      % set pki certificate cacert
      <cut-and-paste ca-cert.pem>
      quit

      Repeat preceding command for each CA certificate. The ovs-pki application only generates a single CA certificate, while other PKIs may generate a chain of certificates.

    2. Configure TLS to use the certificate(s) contained in this list as the controller CA list. Any controller presenting a certificate issued by one of these CA certificates is trusted.
      % set tls ca-cert cacert
  4. Verify that all three credentials are in place and that the switch's private key matches the public key contained in the switch certificate by using the show tls command:
    % show tls
    TLS Configuration Status : good
    ============================================================
    Switch Private Key       : <configured, passphrase protected>
    Switch Certificate List  : sc-cert
    Peer CA Certificate List : cacert