ovs-pki(8) Open vSwitch Manual ovs-pki(8)
ovs-pki - OpenFlow public key infrastructure management utility
Each command takes the form:
ovs-pki [options] command [args]
The implemented commands and their arguments are:
ovs-pki req name
ovs-pki sign name [type]
ovs-pki req+sign name [type]
ovs-pki verify name [type]
ovs-pki fingerprint file
ovs-pki self-sign name
Each type above is a certificate type, either switch (default) or con‐
The available options are:
[-k type | --key=type]
[-B nbits | --bits=nbits]
[-D file | --dsaparam=file]
[-b | --batch]
[-f | --force]
[-d dir | --dir=dir]
[-l file | --log=file]
[-u | --unique]
[-h | --help]
Some options do not apply to every command.
The ovs-pki program sets up and manages a public key infrastructure for
use with OpenFlow. It is intended to be a simple interface for organi‐
zations that do not have an established public key infrastructure.
Other PKI tools can substitute for or supplement the use of ovs-pki.
ovs-pki uses openssl(1) for certificate management and key generation.
The following ovs-pki commands support manual PKI administration:
init Initializes a new PKI (by default in directory /var/lib/open‐
vswitch/pki) and populates it with a pair of certificate author‐
ities for controllers and switches.
This command should ideally be run on a high-security machine
separate from any OpenFlow controller or switch, called the CA
machine. The files pki/controllerca/cacert.pem and
pki/switchca/cacert.pem that it produces will need to be copied
over to the OpenFlow switches and controllers, respectively.
Their contents may safely be made public.
By default, ovs-pki generates 2048-bit RSA keys. The -B or
--bits option (see below) may be used to override the key
length. The -k dsa or --key=dsa option may be used to use DSA
in place of RSA. If DSA is selected, the dsaparam.pem file gen‐
erated in the new PKI hierarchy must be copied to any machine on
which the req command (see below) will be executed. Its con‐
tents may safely be made public.
Other files generated by init may remain on the CA machine. The
files pki/controllerca/private/cakey.pem and pki/switchca/pri‐
vate/cakey.pem have particularly sensitive contents that should
not be exposed.
Generates a new private key named name-privkey.pem and corre‐
sponding certificate request named name-req.pem. The private
key can be intended for use by a switch or a controller.
This command should ideally be run on the switch or controller
that will use the private key to identify itself. The file
name-req.pem must be copied to the CA machine for signing with
the sign command (below).
This command will output a fingerprint to stdout as its final
step. Write down the fingerprint and take it to the CA machine
before continuing with the sign step.
When RSA keys are in use (as is the default), req, unlike the
rest of ovs-pki's commands, does not need access to a PKI hier‐
archy created by ovs-pki init. The -B or --bits option (see be‐
low) may be used to specify the number of bits in the generated
When DSA keys are used (as specified with --key=dsa), req needs
access to the dsaparam.pem file created as part of the PKI hier‐
archy (but not to other files in that tree). By default,
ovs-pki looks for this file in /var/lib/open‐
vswitch/pki/dsaparam.pem, but the -D or --dsaparam option (see
below) may be used to specify an alternate location.
name-privkey.pem has sensitive contents that should not be ex‐
posed. name-req.pem may be safely made public.
sign name [type]
Signs the certificate request named name-req.pem that was pro‐
duced in the previous step, producing a certificate named
name-cert.pem. type, either switch (default) or controller, in‐
dicates the use for which the key is being certified.
This command must be run on the CA machine.
The command will output a fingerprint to stdout and request that
you verify that it is the same fingerprint output by the req
command. This ensures that the request being signed is the same
one produced by req. (The -b or --batch option suppresses the
The file name-cert.pem will need to be copied back to the switch
or controller for which it is intended. Its contents may safely
be made public.
req+sign name [type]
Combines the req and sign commands into a single step, out‐
putting all the files produced by each. The name-privkey.pem
and name-cert.pem files must be copied securely to the switch or
controller. name-privkey.pem has sensitive contents and must
not be exposed in transit. Afterward, it should be deleted from
the CA machine.
This combined method is, theoretically, less secure than the in‐
dividual steps performed separately on two different machines,
because there is additional potential for exposure of the pri‐
vate key. However, it is also more convenient.
verify name [type]
Verifies that name-cert.pem is a valid certificate for the given
type of use, either switch (default) or controller. If the cer‐
tificate is valid for this use, it prints the message
``name-cert.pem: OK''; otherwise, it prints an error message.
Prints the fingerprint for file. If file is a certificate, then
this is the SHA-1 digest of the DER encoded version of the cer‐
tificate; otherwise, it is the SHA-1 digest of the entire file.
Signs the certificate request named name-req.pem using the pri‐
vate key name-privkey.pem, producing a self-signed certificate
named name-cert.pem. The input files should have been produced
with ovs-pki req.
Some controllers accept such self-signed certificates.
For the init command, sets the public key algorithm to use for
the new PKI hierarchy. For the req and req+sign commands, sets
the public key algorithm to use for the key to be generated,
which must match the value specified on init. With other com‐
mands, the value has no effect.
The type may be rsa (the default) or dsa.
Sets the number of bits in the key to be generated. When RSA
keys are in use, this option affects only the init, req, and
req+sign commands, and the same value should be given each time.
With DSA keys are in use, this option affects only the init com‐
The value must be at least 1024. The default is 2048.
Specifies an alternate location for the dsaparam.pem file re‐
quired by the req and req+sign commands. This option affects
only these commands, and only when DSA keys are used.
The default is dsaparam.pem under the PKI hierarchy.
Suppresses the interactive verification of fingerprints that the
sign command by default requires.
Specifies the location of the PKI hierarchy to be used or cre‐
ated by the command (default: /var/lib/openvswitch/pki). All
commands, except req, need access to a PKI hierarchy.
By default, ovs-pki will not overwrite existing files or direc‐
tories. This option overrides this behavior.
Sets the log file to file. Default: /var/log/open‐
Changes the format of the certificate's Common Name (CN) field;
by default, this field has the format "gt; id:gt;", this option causes the provided name to be treated as
unique and changes the format of the CN field to be simply
--help Prints a help usage message and exits.
Open vSwitch 2.10.90 ovs-pki(8)