Configuring Secure Connection to OpenFlow
Since OpenFlow requires a certificate signed by the certificate authority (CA), the default certificate, which is self-signed, must be replaced.
If using a certificate generated by the switch, skip steps 2 and 3 below.
To change the default certificate for a secure OpenFlow connection:
Import the certificate to be used (e.g., a certificate created by openssl outside the switch). Run:
switch
(config) # crypto certificate name my-openflowpublic
-cert pem "-----BEGIN CERTIFICATE----- > MIIDYzCCAksCCQC9EPbMuxjNBzANBgkqhkiG9w0BAQsFADBeMQswCQYDVQQGEwJJ ... > fEt2ui9taB1dl9480xDsGUxwUDX4YOs/bQDjp99z+cKXUe2eYzeEwnTdrCzPZuQo > -----END CERTIFICATE-----" Successfully installed certificate with name'my-openflow'
Or use a new self-signed certificate via switch CLI and export it as a CSR (certificate signing request) and send said CSR to the root CA for signing:
switch
(config) # crypto certificate name my-openflow generate self-signed Successfully generated certificate with name' my-openflow'
switch
(config) # show crypto certificate name my-openflow csr-pem -----BEGIN CERTIFICATE REQUEST----- MIICuDCCAaACAQAwczELMAkGA1UEBhMCSVMxDDAKBgNVBAgMA1RCRDEMMAoGA1UE BwwDVEJEMQwwCgYDVQQKDANUQkQxDDAKBgNVBAsMA1RCRDEYMBYGA1UEAwwPYnVs bGRvZy1xcDEtMTMzMRIwEAYJKoZIhvcNAQkBFgNUQkQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC34xRVh9BaBUPIilV6kiSOAVAnOFgreWtEYoWeGpWJ XGZQBwewFx4TGptYo5fZ4KcnYcQxrcW7gYycQB9Y+9vUVvvPi3b4aYc2FkoNtnC3 0BRTxEcIiwXY7LQxIA23Zuv/OlhjTkpe0+OYtpJSFeIDKMIX4Uy2BfevG06YLCAW tuju2FLQVkexayNK/HFLa5POpVt+16JLB1eV0bcC38Mq9JNIgPspJ7JIjo+BjzgD 43iEY41hlRzoalu78nBBd0HbAddxCF1Uc+8PLuPLCIjGbV9ehPJNWSsA/T9jUEFU 90KaI0/k05JqCXWnpvKz3opQraHsVAbsxG312pnmbTFNAgMBAAGgADANBgkqhkiG 9w0BAQsFAAOCAQEAhpgZRNW/jleyhUbtGEr0CzdNbJ70V8w2lGr6bDhZgrQ/I4eO 1K1D1hvfrVWYRB0SSPFmCmVmFmC7BQne8xrbL2It3ZdSKd82Ts36/Uxjtb63hyt3 GBzCas7qypsbCVW42UHuD+259Yu5xpi9haspzD8Wg2ZKU5e6SjcH+JIchkM9mh/g BQJo4shybTgPfT+mFUCCygWmf5aLyQ9TrZpaUQ7cOk6BZB1RRkOVvA6uCfrwlBks X72LleceL4fP9dtML4VMzMMAf+wOUNxWP9+lqkKMaDhroDP5qlo/lr5BLSlRVet4 z7zb3xSaPrhnefoGr88WFO74d9RxLPPdHcfMFw== -----END CERTIFICATE REQUEST-----Import key of certificate. Run:
switch
(config) # crypto certificate name my-openflowprivate
-key pem "-----BEGIN RSA PRIVATE KEY----- > MIIEpAIBAAKCAQEAypJnZkwbhmt71Kf/MO6cy7QmWWHhCozzWRwuWGKse+MxSmfC ... > QAuPOVR1lSyIEnYU+X0rMHc/9tgUh/8C7mBKwj7dccMmnRWz2djsjg== > -----END RSA PRIVATE KEY-----"Designate “my-openflow” as the global default certificate for authentication of this system to clients. Run:
switch
(config) # crypto certificatedefault
-cert name my-openflowImport the CA certificate which signed for the controller. Run:
switch
(config) # # crypto certificate name rootCApublic
-cert pem "-----BEGIN CERTIFICATE----- > MIIDjzCCAnegAwIBAgIJALVou4mcQtxlMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV ... > +ZfQIOCFS8gY4BDq73W4ugr38mqIA8UXXAMPwgjCbk4NyOh0rJ1P6WT8fYzvunct > -----END CERTIFICATE-----" Successfully installed certificate with name'rootCA'
Adds the “rootCA” to the default CA certificate list. Run:
switch
(config) # crypto certificate ca-listdefault
-ca-list name rootCASave configuration. Run:
switch
(config) # configuration writeReboot the switch. Run:
switch
(config) # reloadVerify configuration. Run:
switch
(config) # show crypto certificate Certificate with name'system-self-signed'
Comment: system-generated self-signed certificate Private Key: present Serial Number:0x543e2efc3a5ecdbe18b5b5e744598424
SHA-1
Fingerprint: 14e1d36035c7a5fea9f7f0f423572c9954cb9fac Validity: Starts:2016
/09
/12
12
:44
:10
Expires:2017
/09
/12
12
:44
:10
Subject: Common Name:switch
Country: IS State or Province: TBD Locality: TBD Organization: TBD Organizational Unit: TBD E-mail Address: TBD Issuer: Common Name:switch
Country: IS State or Province: TBD Locality: TBD Organization: TBD Organizational Unit: TBD E-mail Address: TBD Certificate with name'my-openflow'
(default
-cert) Private Key: present Serial Number:0xbd10f6ccbb18cd07
SHA-1
Fingerprint: 1e0e3302182ab56f2cbd3ca21722dec55299d670 Validity: Starts:2016
/09
/12
15
:16
:48
Expires:2018
/01
/25
14
:16
:48
Subject: Common Name:switch
Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e E-mail Address: none@nowhere
.com Issuer: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e Certificate with name'rootCA'
Private Key: not present Serial Number:0xb568bb899c42dc65
SHA-1
Fingerprint: 9855536f6ee0177356ffbdc54ffe803bc83fb4c6 Validity: Starts:2016
/09
/08
10
:34
:23
Expires:2019
/06
/29
10
:34
:23
Subject: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2e Issuer: Common Name: ca Country: * State or Province: Some-State Locality: * Organization: Mlnx Organizational Unit: e2eConfigure secure controller IP connection. Run:
switch
(config) # controller-ip10.10
.10.10
tls