Since OpenFlow requires a certificate signed by the certificate authority (CA), the default certificate, which is self-signed, must be replaced.

If using a certificate generated by the switch, skip steps 2 and 3 below.

To change the default certificate for a secure OpenFlow connection:

  1. Import the certificate to be used (e.g., a certificate created by openssl outside the switch). Run:

    switch (config) # crypto certificate name my-openflow public-cert pem "-----BEGIN CERTIFICATE-----
> MIIDYzCCAksCCQC9EPbMuxjNBzANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJJ
...
> fEt2ui9taB1dl9480xDsGUxwUDX4YOs/bQDjp99z+cKXUe2eYzeEwnTdrCzPZuQo
> -----END CERTIFICATE-----"
Successfully installed certificate with name 'my-openflow'

    Or use a new self-signed certificate via switch CLI and export it as a CSR (certificate signing request) and send said CSR to the root CA for signing:

    switch (config) # crypto certificate name my-openflow generate self-signed
Successfully generated certificate with name ' my-openflow'
 
switch (config) # show crypto certificate name my-openflow csr-pem
 
-----BEGIN CERTIFICATE REQUEST-----
MIICuDCCAaACAQAwczELMAkGA1UEBhMCSVMxDDAKBgNVBAgMA1RCRDEMMAoGA1UE
BwwDVEJEMQwwCgYDVQQKDANUQkQxDDAKBgNVBAsMA1RCRDEYMBYGA1UEAwwPYnVs
bGRvZy1xcDEtMTMzMRIwEAYJKoZIhvcNAQkBFgNUQkQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC34xRVh9BaBUPIilV6kiSOAVAnOFgreWtEYoWeGpWJ
XGZQBwewFx4TGptYo5fZ4KcnYcQxrcW7gYycQB9Y+9vUVvvPi3b4aYc2FkoNtnC3
0BRTxEcIiwXY7LQxIA23Zuv/OlhjTkpe0+OYtpJSFeIDKMIX4Uy2BfevG06YLCAW
tuju2FLQVkexayNK/HFLa5POpVt+16JLB1eV0bcC38Mq9JNIgPspJ7JIjo+BjzgD
43iEY41hlRzoalu78nBBd0HbAddxCF1Uc+8PLuPLCIjGbV9ehPJNWSsA/T9jUEFU
90KaI0/k05JqCXWnpvKz3opQraHsVAbsxG312pnmbTFNAgMBAAGgADANBgkqhkiG
9w0BAQsFAAOCAQEAhpgZRNW/jleyhUbtGEr0CzdNbJ70V8w2lGr6bDhZgrQ/I4eO
1K1D1hvfrVWYRB0SSPFmCmVmFmC7BQne8xrbL2It3ZdSKd82Ts36/Uxjtb63hyt3
GBzCas7qypsbCVW42UHuD+259Yu5xpi9haspzD8Wg2ZKU5e6SjcH+JIchkM9mh/g
BQJo4shybTgPfT+mFUCCygWmf5aLyQ9TrZpaUQ7cOk6BZB1RRkOVvA6uCfrwlBks
X72LleceL4fP9dtML4VMzMMAf+wOUNxWP9+lqkKMaDhroDP5qlo/lr5BLSlRVet4
z7zb3xSaPrhnefoGr88WFO74d9RxLPPdHcfMFw==
-----END CERTIFICATE REQUEST-----

  2. Import key of certificate. Run:

    switch (config) # crypto certificate name my-openflow private-key pem "-----BEGIN RSA PRIVATE KEY-----
> MIIEpAIBAAKCAQEAypJnZkwbhmt71Kf/MO6cy7QmWWHhCozzWRwuWGKse+MxSmfC
...
> QAuPOVR1lSyIEnYU+X0rMHc/9tgUh/8C7mBKwj7dccMmnRWz2djsjg==
> -----END RSA PRIVATE KEY-----"

  3. Designate “my-openflow” as the global default certificate for authentication of this system to clients. Run:

    switch (config) # crypto certificate default-cert name my-openflow

  4. Import the CA certificate which signed for the controller. Run:

    switch (config) # # crypto certificate name rootCA public-cert pem "-----BEGIN CERTIFICATE-----
> MIIDjzCCAnegAwIBAgIJALVou4mcQtxlMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
...
> +ZfQIOCFS8gY4BDq73W4ugr38mqIA8UXXAMPwgjCbk4NyOh0rJ1P6WT8fYzvunct
> -----END CERTIFICATE-----"
Successfully installed certificate with name 'rootCA'

  5. Adds the “rootCA” to the default CA certificate list. Run:

    switch (config) # crypto certificate ca-list default-ca-list name rootCA

  6. Save configuration. Run:

    switch (config) # configuration write

  7. Reboot the switch. Run:

    switch (config) # reload

  8. Verify configuration. Run:

    switch (config) # show crypto certificate
Certificate with name 'system-self-signed'
    Comment:                       system-generated self-signed certificate
    Private Key:                   present
    Serial Number:                 0x543e2efc3a5ecdbe18b5b5e744598424
    SHA-1 Fingerprint:             14e1d36035c7a5fea9f7f0f423572c9954cb9fac
 
    Validity:
        Starts:                    2016/09/12 12:44:10
        Expires:                   2017/09/12 12:44:10
 Subject: 
        Common Name:               switch
        Country:                   IS
        State or Province:         TBD
        Locality:                  TBD
        Organization:              TBD
        Organizational Unit:       TBD
        E-mail Address:            TBD
 
    Issuer: 
        Common Name:               switch
        Country:                   IS
        State or Province:         TBD
        Locality:                  TBD
        Organization:              TBD
        Organizational Unit:       TBD
        E-mail Address:            TBD
 
Certificate with name 'my-openflow' (default-cert)
    Private Key:                   present
    Serial Number:                 0xbd10f6ccbb18cd07
    SHA-1 Fingerprint:             1e0e3302182ab56f2cbd3ca21722dec55299d670
 
    Validity:
        Starts:                    2016/09/12 15:16:48
        Expires:                   2018/01/25 14:16:48
 
    Subject: 
        Common Name:               switch
        Country:                   *
        State or Province:         Some-State
        Locality:                  *
        Organization:              Mlnx
        Organizational Unit:       e2e
        E-mail Address:            none@nowhere.com
 
    Issuer: 
        Common Name:               ca
        Country:                   *
        State or Province:         Some-State
        Locality:                  *
        Organization:              Mlnx
        Organizational Unit:       e2e
    Certificate with name 'rootCA'
    Private Key:                   not present
    Serial Number:                 0xb568bb899c42dc65
    SHA-1 Fingerprint:             9855536f6ee0177356ffbdc54ffe803bc83fb4c6
    Validity:
        Starts:                    2016/09/08 10:34:23
        Expires:                   2019/06/29 10:34:23
 
    Subject: 
        Common Name:               ca
        Country:                   *
        State or Province:         Some-State
        Locality:                  *
        Organization:              Mlnx
        Organizational Unit:       e2e
 
    Issuer: 
        Common Name:               ca
        Country:                   *
        State or Province:         Some-State
        Locality:                  *
        Organization:              Mlnx
        Organizational Unit:       e2e

  9. Configure secure controller IP connection. Run:

    Copy
    Copied!
                
    
            
    switch (config) # controller-ip 10.10.10.10 tls

