Certificates Management
NVOS includes a self-signed certificate and private key to use on the server so that it works out of the box. The switch generates the self-signed certificate and private key when it boots for the first time. The X.509 certificate with the public key is in /etc/ssl/certs/nvue.pem
and the corresponding private key is in /etc/ssl/private/nvue.key
.
NVIDIA recommends you use your own certificates and keys.
NVOS lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates.
The CA certificates can be also addressed as trust bundles, which means that CA certs can also include intermediate certificates.
You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, gNMI, NMX, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid.
A maximum of 25 entity certificates and a maximum of 25 CA certificates can be imported
A single CA certificate entry may contain up to 100 PEM strings and may also include intermediate certificates.
The imported server/entity certificate contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS.
To import an entity certificate, run an nv action import system security certificate
command. To import a CA certificate, run an nv action import system security ca-certificate
command.
If the certificate is passphrase protected, the passphrase to be included.
You must provide a certificate ID (<cert-id>) to uniquely identify the certificate you import.
CA Certificate
The following example imports a CA certificate with a public key and calls the certificate tls-cert-1. The public key is a Base64 ASCII encoded PEM string.
nvos@switch
:~$ nv action import
system security ca-certificate tls-cert-1
data ""
"-----BEGIN CERTIFICATE----- TODO ----END CERTIFICATE-----"
""
The following example imports a CA certificate with a public key and calls the certificate tls-cert-1
with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt
.
nvos@switch
:~$ nv action import
system security ca-certificate tls-cert-1
uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt
The following example imports a CA certificate with a public key and calls the certificate tls-cert-1
with URI scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt
. External makes CA certificate standalone, which means certificate is not attached to common system CA certificates bundle in /etc/ssl/certs/ca-certificates.crt
.
nvos@switch
:~$ nv action import
system security ca-certificate tls-cert-1
uri scp://user@pass:1.2.3.4:/opt/certs/ca-cert.crt external
Import Certificate
The following example imports an entity certificate bundle (public + private key) and calls the certificate tls-cert-1. The certificate bundle is passphrase protected with mypassphrase.
A certificate bundle must be in .P12 format.
nvos@switch
:~$ nv action import
system security certificate tls-cert-1
passphrase mypassphrase uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12
The following example imports an entity certificate bundle and calls the certificate tls-cert-local. The certificate is located on top of the local machine under /home/admin path
nv action import
system security certificate tls-cert-local uri-public
-key file://127.0.0.1/home/admin/cert.crt uri-private-key file://127.0.0.1/home/admin/cert.key
The following example imports an entity certificate with the public key URI scp://user@pass:1.2.3.4
and private key URI scp://user@pass:1.2.3.4
, and calls the certificate tls-cert-1
. The certificate is not passphrase protected.
nvos@switch
:~$ nv action import
system security certificate tls-cert-1
uri-public
-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4
You can configure the NVUE REST API to use a specific certificate.
The following example configures the API to use the certificate tls-cert-1:
nvos@switch
:~$ nv set system api certificate tls-cert-1
nvos@switch
:~$ nv config apply
The following example configures the API to use the self-signed certificate:
nvos@switch
:~$ nv set system api certificate self-signed
nvos@switch
:~$ nv config apply
To unset the certificate to use with the NVUE REST API:
nvos@switch
:~$ nv unset system api certificate tls-cert-1
You can configure the GNMI to use a specific certificate.
The following example configures the API to use the certificate tls-cert-1:
nvos@switch
:~$ nv set system gnmi-server certificate tls-cert-1
nvos@switch
:~$ nv config apply
The following example configures the API to use the self-signed certificate:
nvos@switch
:~$ nv set system gnmi-server certificate self-signed
nvos@switch
:~$ nv config apply
To unset the certificate to use with the NVUE REST API:
nvos@switch
:~$ nv unset system gnmi-server certificate tls-cert-1
To delete an entity certificate and the key data stored on the switch, run the nv action delete system security certificate
command. To delete a CA certificate and the key data stored on the switch, run the nv action delete system security ca-certificate
command.
The following command deletes the certificate tls-cert-1:
nvos@switch
:~$ nv action delete system security certificate tls-cert-1
To show all the entity certificates on the switch, run the nv show system security certificate command.
To show all the CA certificates on the switch, run the nv show system security ca-certificate command.
The following example shows all the entity certificates on the switch:
nvos@switch
:~$ nv show system security certificate
To show the applications that are using a specific entity certificate, run the nv show system security certificate
installed command. To show the applications that are using a specific CA certificate, run the nv show system security ca-certificate
installed command.
The following example shows the applications that are using a specific entity certificate.
nvos@switch
:~$ nv show system security certificate tls-cert-1
installed
To show detailed information about a specific entity certificate, run the nv show system security certificate
dump command. To show detailed information about a specific CA certificate, run the nv show system security ca-certificate
dump command.
The following example shows detailed information about the CA certificate tls-cert-1:
nvos@switch
:~$ nv show system security ca-certificate tls-cert-1
dump