Since OpenFlow requires a certificate signed by the certificate authority (CA), the default certificate, which is self-signed, must be replaced.
If using a certificate generated by the switch, skip steps 2 and 3 below.
To change the default certificate for a secure OpenFlow connection:
Import the certificate to be used (e.g., a certificate created by openssl outside the switch). Run:
switch (config) # crypto certificate name my-openflow public-cert pem "-----BEGIN CERTIFICATE----- > MIIDYzCCAksCCQC9EPbMuxjNBzANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJJ ... > fEt2ui9taB1dl9480xDsGUxwUDX4YOs/bQDjp99z+cKXUe2eYzeEwnTdrCzPZuQo > -----END CERTIFICATE-----" Successfully installed certificate with name 'my-openflow'
Or use a new self-signed certificate via switch CLI and export it as a CSR (certificate signing request) and send said CSR to the root CA for signing:
switch (config) # crypto certificate name my-openflow generate self-signed Successfully generated certificate with name ' my-openflow' switch (config) # show crypto certificate name my-openflow csr-pem -----BEGIN CERTIFICATE REQUEST----- MIICuDCCAaACAQAwczELMAkGA1UEBhMCSVMxDDAKBgNVBAgMA1RCRDEMMAoGA1UE BwwDVEJEMQwwCgYDVQQKDANUQkQxDDAKBgNVBAsMA1RCRDEYMBYGA1UEAwwPYnVs bGRvZy1xcDEtMTMzMRIwEAYJKoZIhvcNAQkBFgNUQkQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC34xRVh9BaBUPIilV6kiSOAVAnOFgreWtEYoWeGpWJ XGZQBwewFx4TGptYo5fZ4KcnYcQxrcW7gYycQB9Y+9vUVvvPi3b4aYc2FkoNtnC3 0BRTxEcIiwXY7LQxIA23Zuv/OlhjTkpe0+OYtpJSFeIDKMIX4Uy2BfevG06YLCAW tuju2FLQVkexayNK/HFLa5POpVt+16JLB1eV0bcC38Mq9JNIgPspJ7JIjo+BjzgD 43iEY41hlRzoalu78nBBd0HbAddxCF1Uc+8PLuPLCIjGbV9ehPJNWSsA/T9jUEFU 90KaI0/k05JqCXWnpvKz3opQraHsVAbsxG312pnmbTFNAgMBAAGgADANBgkqhkiG 9w0BAQsFAAOCAQEAhpgZRNW/jleyhUbtGEr0CzdNbJ70V8w2lGr6bDhZgrQ/I4eO 1K1D1hvfrVWYRB0SSPFmCmVmFmC7BQne8xrbL2It3ZdSKd82Ts36/Uxjtb63hyt3 GBzCas7qypsbCVW42UHuD+259Yu5xpi9haspzD8Wg2ZKU5e6SjcH+JIchkM9mh/g BQJo4shybTgPfT+mFUCCygWmf5aLyQ9TrZpaUQ7cOk6BZB1RRkOVvA6uCfrwlBks X72LleceL4fP9dtML4VMzMMAf+wOUNxWP9+lqkKMaDhroDP5qlo/lr5BLSlRVet4 z7zb3xSaPrhnefoGr88WFO74d9RxLPPdHcfMFw== -----END CERTIFICATE REQUEST-----
Import key of certificate. Run:
switch (config) # crypto certificate name my-openflow private-key pem "-----BEGIN RSA PRIVATE KEY----- > MIIEpAIBAAKCAQEAypJnZkwbhmt71Kf/MO6cy7QmWWHhCozzWRwuWGKse+MxSmfC ... > QAuPOVR1lSyIEnYU+X0rMHc/9tgUh/8C7mBKwj7dccMmnRWz2djsjg== > -----END RSA PRIVATE KEY-----"
Designate “my-openflow” as the global default certificate for authentication of this system to clients. Run:
switch (config) # crypto certificate default-cert name my-openflow
Import the CA certificate which signed for the controller. Run:
switch (config) # # crypto certificate name rootCA public-cert pem "-----BEGIN CERTIFICATE----- > MIIDjzCCAnegAwIBAgIJALVou4mcQtxlMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV ... > +ZfQIOCFS8gY4BDq73W4ugr38mqIA8UXXAMPwgjCbk4NyOh0rJ1P6WT8fYzvunct > -----END CERTIFICATE-----" Successfully installed certificate with name 'rootCA'
Adds the “rootCA” to the default CA certificate list. Run:
switch (config) # crypto certificate ca-list default-ca-list name rootCA
Save configuration. Run:
switch (config) # configuration write
Reboot the switch. Run:
switch (config) # reload
Verify configuration. Run:
switch (config) # show crypto certificate Certificate with name 'system-self-signed' Comment: system-generated self-signed certificate Private Key: present Serial Number: 0x543e2efc3a5ecdbe18b5b5e744598424 SHA-1 Fingerprint: 14e1d36035c7a5fea9f7f0f423572c9954cb9fac Validity: Starts: 2016/09/12 12:44:10 Expires: 2017/09/12 12:44:10 Subject: Common Name: switch Country: IS State or Province: TBD Locality: TBD Organization: TBD Organizational Unit: TBD E-mail Address: TBD Issuer: Common Name: switch Country: IS State or Province: TBD Locality: TBD Organization: TBD Organizational Unit: TBD E-mail Address: TBD Certificate with name 'my-openflow' (default-cert) Private Key: present Serial Number: 0xbd10f6ccbb18cd07 SHA-1 Fingerprint: 1e0e3302182ab56f2cbd3ca21722dec55299d670 Validity: Starts: 2016/09/12 15:16:48 Expires: 2018/01/25 14:16:48 Subject: Common Name: switch Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e E-mail Address: none@nowhere.com Issuer: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e Certificate with name 'rootCA' Private Key: not present Serial Number: 0xb568bb899c42dc65 SHA-1 Fingerprint: 9855536f6ee0177356ffbdc54ffe803bc83fb4c6 Validity: Starts: 2016/09/08 10:34:23 Expires: 2019/06/29 10:34:23 Subject: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e Issuer: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2eConfigure secure controller IP connection. Run:
switch (config) # controller-ip 10.10.10.10 tls
