What can I help you with?
NVIDIA NVOS User Manual for InfiniBand Switches v25.02.2002
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Switch Software  NVIDIA NVOS User Manual for InfiniBand Switches v25.02.2002  Certificates Management

Certificates Management

Certificates

NVOS includes a self-signed certificate and private key to use on the server so that it works out of the box. The switch generates the self-signed certificate and private key when it boots for the first time. The X.509 certificate with the public key is in /etc/ssl/certs/nvue.pem and the corresponding private key is in /etc/ssl/private/nvue.key.

NVIDIA recommends you use your own certificates and keys.

NVOS lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates.

You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid.

Import a Certificate

  • You can import a maximum of 25 entity certificates and a maximum of 50 CA certificates.

  • The certificate you import contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS.

  • To import an entity certificate, run an nv action import system security certificate <cert-id> command.

  • To import a CA certificate, run an nv action import system security ca-certificate <cert-id> command.

If the certificate is passphrase protected, you need to include the passphrase.

You must provide a certificate ID (<cert-id>) to uniquely identify the certificate you import.

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1. The certificate is passphrase protected with mypassphrase. The public key is a Base64 ASCII encoded PEM string.

Copy
Copied!
            

            
nvos@switch:~$ nv action import system security ca-certificate tls-cert-1 passphrase mypassphrase data "<public-key>"

The following example imports an entity certificate bundle and calls the certificate tls-cert-1. The certificate bundle is passphrase protected with mypassphrase.

A certificate bundle must be in .PFX or .P12 format.

Copy
Copied!
            

            
nvos@switch:~$ nv action import system security certificate tls-cert-1 passphrase mypassphrase uri-bundle scp://user@pass:1.2.3.4:/opt/certs/cert.p12 

The following example imports an entity certificate with the public key URI scp://user@pass:1.2.3.4 and private key URI scp://user@pass:1.2.3.4, and calls the certificate tls-cert-1. The certificate is not passphrase protected.

A CA certificate must be in .pem, .p7a, or .p7c format.

Copy
Copied!
            

            
nvos@switch:~$ nv action import system security certificate tls-cert-1 uri-public-key scp://user@pass:1.2.3.4 uri-private-key scp://user@pass:1.2.3.4

Set the Certificate to Use

You can configure the NVUE REST API to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1:

Copy
Copied!
            

            
nvos@switch:~$ nv set system api certificate tls-cert-1
 
nvos@switch:~$ nv config apply

The following example configures the API to use the self-signed certificate:

Copy
Copied!
            

            
nvos@switch:~$ nv set system api certificate self-signed
 
nvos@switch:~$ nv config apply

To unset the certificate to use with the NVUE REST API:

Copy
Copied!
            

            
nvos@switch:~$ nv unset system api certificate tls-cert-1

Delete Certificates

  • To delete an entity certificate and the key data stored on the switch, run the nv action delete system security certificate <cert-id> command.

  • To delete a CA certificate and the key data stored on the switch, run the nv action delete system security ca-certificate <cert-id> command.

The following command deletes the certificate tls-cert-1:

Copy
Copied!
            

            
nvos@switch:~$ nv action delete system security certificate tls-cert-1

Show Certificate Information

  • To show all the entity certificates on the switch, run the nv show system security certificate command.

  • To show all the CA certificates on the switch, run the nv show system security ca-certificate command.

The following example shows all the entity certificates on the switch:

Copy
Copied!
            

            
nvos@switch:~$ nv show system security certificate

  • To show the applications that are using a specific entity certificate, run the nv show system security certificate <cert-id> installed command.

  • To show the applications that are using a specific CA certificate, run the nv show system security ca-certificate <cert-id> installed command.

The following example shows the applications that are using a specific entity certificate.

Copy
Copied!
            

            
nvos@switch:~$ nv show system security certificate tls-cert-1 installed

  • To show detailed information about a specific entity certificate, run the nv show system security certificate <cert-id> dump command.

  • To show detailed information about a specific CA certificate, run the nv show system security ca-certificate <cert-id> dump command.

The following example shows detailed information about the CA certificate tls-cert-1:

Copy
Copied!
            

            
nvos@switch:~$ nv show system security ca-certificate tls-cert-1 dump

© Copyright 2024, NVIDIA. Last updated on Jan 8, 2025.
content here