Certificates Management

NVOS includes a self-signed certificate and private key to use on the server so that it works out of the box. The switch generates the self-signed certificate and private key when it boots for the first time. The X.509 certificate with the public key is in /etc/ssl/certs/nvue.pem and the corresponding private key is in /etc/ssl/private/nvue.key.

NVIDIA recommends you use your own certificates and keys.

NVOS lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates.

The CA certificates can be also addressed as trust bundles, which means that CA certs can also include intermediate certificates.

You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, gNMI, NMX, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid.

• A maximum of 25 entity certificates and a maximum of 25 CA certificates can be imported

  • A single CA certificate entry may contain up to 100 PEM strings and may also include intermediate certificates.

• The imported server/entity certificate contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS.

• To import an entity certificate, run an nv action import system security certificate command.

• To import a CA certificate, run an nv action import system security ca-certificate command.

If the certificate is passphrase protected, the passphrase to be included.

You must provide a certificate ID (<cert-id>) to uniquely identify the certificate you import.

CA Certificate

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1. The public key is a Base64 ASCII encoded PEM string.

            

            
nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 data """-----BEGIN CERTIFICATE----- TODO  ----END CERTIFICATE-----"""
        

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1 with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt.

            

            
nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt
        

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1 with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt. External makes CA certificate standalone, which means certificate is not attached to common system CA certificates bundle in /etc/ssl/certs/ca-certificates.crt.

            

            
nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt external
        

Import Certificate

The following example imports an entity certificate bundle (public + private key) and calls the certificate tls-cert-1. The certificate bundle is passphrase protected with mypassphrase.

A certificate bundle must be in .P12 format.

            

            
nvos@switch:~$ nv action import system security certificate tls-cert-1 passphrase mypassphrase uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12 
        

The following example imports an entity certificate bundle and calls the certificate tls-cert-local. The certificate is located on top of the local machine under /home/admin path

            

            
nv action import system security certificate tls-cert-local uri-public-key file://127.0.0.1/home/admin/cert.crt uri-private-key file://127.0.0.1/home/admin/cert.key
        

The following example imports an entity certificate with the public key URI scp://user@pass:1.2.3.4 and private key URI scp://user@pass:1.2.3.4, and calls the certificate tls-cert-1. The certificate is not passphrase protected.

            

            
nvos@switch:~$ nv action import system security certificate tls-cert-1 uri-public-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4
        

You can configure the NVUE REST API to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1:

            

            
nvos@switch:~$ nv set system api certificate tls-cert-1
 
nvos@switch:~$ nv config apply
        

The following example configures the API to use the self-signed certificate:

            

            
nvos@switch:~$ nv set system api certificate self-signed
 
nvos@switch:~$ nv config apply
        

To unset the certificate to use with the NVUE REST API:

            

            
nvos@switch:~$ nv unset system api certificate tls-cert-1
        

You can configure the GNMI to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1:

            

            
nvos@switch:~$ nv set system gnmi-server certificate tls-cert-1
 
nvos@switch:~$ nv config apply
        

The following example configures the API to use the self-signed certificate:

            

            
nvos@switch:~$ nv set system gnmi-server certificate self-signed
 
nvos@switch:~$ nv config apply
        

To unset the certificate to use with the NVUE REST API:

            

            
nvos@switch:~$ nv unset system gnmi-server certificate tls-cert-1
        

• To delete an entity certificate and the key data stored on the switch, run the nv action delete system security certificate command.

• To delete a CA certificate and the key data stored on the switch, run the nv action delete system security ca-certificate command.

The following command deletes the certificate tls-cert-1:

            

            
nvos@switch:~$ nv action delete system security certificate tls-cert-1
        

• To show all the entity certificates on the switch, run the nv show system security certificate command.

• To show all the CA certificates on the switch, run the nv show system security ca-certificate command.

The following example shows all the entity certificates on the switch:

            

            
nvos@switch:~$ nv show system security certificate
        

• To show the applications that are using a specific entity certificate, run the nv show system security certificate installed command.

• To show the applications that are using a specific CA certificate, run the nv show system security ca-certificate installed command.

The following example shows the applications that are using a specific entity certificate.

            

            
nvos@switch:~$ nv show system security certificate tls-cert-1 installed
        

• To show detailed information about a specific entity certificate, run the nv show system security certificate dump command.

• To show detailed information about a specific CA certificate, run the nv show system security ca-certificate dump command.

The following example shows detailed information about the CA certificate tls-cert-1:

            

            
nvos@switch:~$ nv show system security ca-certificate tls-cert-1 dump
        

• Certificate Management Commands