What can I help you with?
NVIDIA NVOS User Manual for NVLink Switches v25.02.1884

Certificates Management

NVOS includes a self-signed certificate and private key to use on the server so that it works out of the box. The switch generates the self-signed certificate and private key when it boots for the first time. The X.509 certificate with the public key is in /etc/ssl/certs/nvue.pem and the corresponding private key is in /etc/ssl/private/nvue.key.

NVIDIA recommends you use your own certificates and keys.

NVOS lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates.

The CA certificates can be also addressed as trust bundles, which means that CA certs can also include intermediate certificates.

You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, gNMI, NMX, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid.

  • A maximum of 25 entity certificates and a maximum of 25 CA certificates can be imported

    • A single CA certificate entry may contain up to 100 PEM strings and may also include intermediate certificates.

  • The imported server/entity certificate contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS.

  • To import an entity certificate, run an nv action import system security certificate command.

  • To import a CA certificate, run an nv action import system security ca-certificate command.

If the certificate is passphrase protected, the passphrase to be included.

You must provide a certificate ID (<cert-id>) to uniquely identify the certificate you import.

CA Certificate

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1. The public key is a Base64 ASCII encoded PEM string.

Copy
Copied!
            

nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 data """-----BEGIN CERTIFICATE----- TODO ----END CERTIFICATE-----"""

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1 with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt.

Copy
Copied!
            

nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1 with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt. External makes CA certificate standalone, which means certificate is not attached to common system CA certificates bundle in /etc/ssl/certs/ca-certificates.crt.

Copy
Copied!
            

nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt external


Import Certificate

The following example imports an entity certificate bundle (public + private key) and calls the certificate tls-cert-1. The certificate bundle is passphrase protected with mypassphrase.

A certificate bundle must be in .P12 format.

Copy
Copied!
            

nvos@switch:~$ nv action import system security certificate tls-cert-1 passphrase mypassphrase uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12 

The following example imports an entity certificate bundle and calls the certificate tls-cert-local. The certificate is located on top of the local machine under /home/admin path

Copy
Copied!
            

nv action import system security certificate tls-cert-local uri-public-key file://127.0.0.1/home/admin/cert.crt uri-private-key file://127.0.0.1/home/admin/cert.key

The following example imports an entity certificate with the public key URI scp://user@pass:1.2.3.4 and private key URI scp://user@pass:1.2.3.4, and calls the certificate tls-cert-1. The certificate is not passphrase protected.

Copy
Copied!
            

nvos@switch:~$ nv action import system security certificate tls-cert-1 uri-public-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4


You can configure the NVUE REST API to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1:

Copy
Copied!
            

nvos@switch:~$ nv set system api certificate tls-cert-1   nvos@switch:~$ nv config apply

The following example configures the API to use the self-signed certificate:

Copy
Copied!
            

nvos@switch:~$ nv set system api certificate self-signed   nvos@switch:~$ nv config apply

To unset the certificate to use with the NVUE REST API:

Copy
Copied!
            

nvos@switch:~$ nv unset system api certificate tls-cert-1

You can configure the GNMI to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1:

Copy
Copied!
            

nvos@switch:~$ nv set system gnmi-server certificate tls-cert-1   nvos@switch:~$ nv config apply

The following example configures the API to use the self-signed certificate:

Copy
Copied!
            

nvos@switch:~$ nv set system gnmi-server certificate self-signed   nvos@switch:~$ nv config apply

To unset the certificate to use with the NVUE REST API:

Copy
Copied!
            

nvos@switch:~$ nv unset system gnmi-server certificate tls-cert-1

The following command deletes the certificate tls-cert-1:

Copy
Copied!
            

nvos@switch:~$ nv action delete system security certificate tls-cert-1

The following example shows all the entity certificates on the switch:

Copy
Copied!
            

nvos@switch:~$ nv show system security certificate

The following example shows the applications that are using a specific entity certificate.

Copy
Copied!
            

nvos@switch:~$ nv show system security certificate tls-cert-1 installed

The following example shows detailed information about the CA certificate tls-cert-1:

Copy
Copied!
            

nvos@switch:~$ nv show system security ca-certificate tls-cert-1 dump

© Copyright 2025, NVIDIA. Last updated on Mar 3, 2025.