OVS-PKI(8) Open vSwitch OVS-PKI(8)
NAME
ovs-pki - OpenFlow public key infrastructure management utility
SYNOPSIS
Each command takes the form:
ovs-pki <options> <command> <args>...
The implemented commands and their arguments are:
• ovs-pki init
• ovs-pki req <name>
• ovs-pki sign <name> [<type>]
• ovs-pki req+sign <name> [<type>]
• ovs-pki verify <name> [<type>]
• ovs-pki fingerprint <file>
• ovs-pki self-sign <name>
Each <type> above is a certificate type, either switch (default) or
controller.
The available options are:
• -k <type> or --key=<type>
• -B <nbits> or --bits=<nbits>
• -D <file> or --dsaparam=<file>
• -b or --batch
• -f or --force
• -d <dir> or --dir=<dir>
• -l <file> or --log=<file>
• -u or --unique
• -h or --help
DESCRIPTION
The ovs-pki program sets up and manages a public key infrastructure for
use with OpenFlow. It is intended to be a simple interface for organi‐
zations that do not have an established public key infrastructure.
Other PKI tools can substitute for or supplement the use of ovs-pki.
ovs-pki uses openssl(1) for certificate management and key generation.
OFFLINE COMMANDS
The following ovs-pki commands support manual PKI administration:
• init
Initializes a new PKI (by default in /var/lib/openvswitch/pki, al‐
though this default may be changed at Open vSwitch build time) and
populates it with a pair of certificate authorities for controllers
and switches.
This command should ideally be run on a high-security machine sepa‐
rate from any OpenFlow controller or switch, called the CA machine.
The files pki/controllerca/cacert.pem and pki/switchca/cacert.pem
that it produces will need to be copied over to the OpenFlow switches
and controllers, respectively. Their contents may safely be made
public.
By default, ovs-pki generates 2048-bit RSA keys. The -B or --bits
option (see below) may be used to override the key length. The -k
dsa or --key=dsa option may be used to use DSA in place of RSA. If
DSA is selected, the dsaparam.pem file generated in the new PKI hier‐
archy must be copied to any machine on which the req command (see be‐
low) will be executed. Its contents may safely be made public.
Other files generated by init may remain on the CA machine. The
files pki/controllerca/private/cakey.pem and pki/switchca/pri‐
vate/cakey.pem have particularly sensitive contents that should not
be exposed.
• req <name>
Generates a new private key named <name>-privkey.pem and correspond‐
ing certificate request named <name>-req.pem. The private key can be
intended for use by a switch or a controller.
This command should ideally be run on the switch or controller that
will use the private key to identify itself. The file <name>-req.pem
must be copied to the CA machine for signing with the sign command
(below).
This command will output a fingerprint to stdout as its final step.
Write down the fingerprint and take it to the CA machine before con‐
tinuing with the sign step.
When RSA keys are in use (as is the default), req, unlike the rest of
the ovs-pki commands, does not need access to a PKI hierarchy created
by ovs-pki init. The -B or --bits option (see below) may be used to
specify the number of bits in the generated RSA key.
When DSA keys are used (as specified with --key=dsa), req needs ac‐
cess to the dsaparam.pem file created as part of the PKI hierarchy
(but not to other files in that tree). By default, ovs-pki looks for
this file in the PKI directory as dsaparam.pem, but the -D or
--dsaparam option (see below) may be used to specify an alternate lo‐
cation.
<name>-privkey.pem has sensitive contents that should not be exposed.
<name>-req.pem may be safely made public.
• sign <name> [<type>]
Signs the certificate request named <name>-req.pem that was produced
in the previous step, producing a certificate named <name>-cert.pem.
<type>, either switch (default) or controller, indicates the use for
which the key is being certified.
This command must be run on the CA machine.
The command will output a fingerprint to stdout and request that you
verify that it is the same fingerprint output by the req command.
This ensures that the request being signed is the same one produced
by req. (The -b or --batch option suppresses the verification step.)
The file <name>-cert.pem will need to be copied back to the switch or
controller for which it is intended. Its contents may safely be made
public.
• req+sign <name> [<type>]
Combines the req and sign commands into a single step, outputting all
the files produced by each. The <name>-privkey.pem and
<name>-cert.pem files must be copied securely to the switch or con‐
troller. <name>-privkey.pem has sensitive contents and must not be
exposed in transit. Afterward, it should be deleted from the CA ma‐
chine.
This combined method is, theoretically, less secure than the individ‐
ual steps performed separately on two different machines, because
there is additional potential for exposure of the private key. How‐
ever, it is also more convenient.
• verify <name> [<type>]
Verifies that <name>-cert.pem is a valid certificate for the given
<type> of use, either switch (default) or controller. If the cer‐
tificate is valid for this use, it prints the message
<name>-cert.pem: OK; otherwise, it prints an error message.
• fingerprint <file>
Prints the fingerprint for <file>. If <file> is a certificate, then
this is the SHA-1 digest of the DER encoded version of the certifi‐
cate; otherwise, it is the SHA-1 digest of the entire file.
• self-sign <name>
Signs the certificate request named <name>-req.pem using the private
key <name>-privkey.pem, producing a self-signed certificate named
<name>-cert.pem. The input files should have been produced with
ovs-pki req.
Some controllers accept such self-signed certificates.
OPTIONS
• -k <type> or --key=<type>
For the init command, sets the public key algorithm to use for the
new PKI hierarchy. For the req and req+sign commands, sets the pub‐
lic key algorithm to use for the key to be generated, which must
match the value specified on init. With other commands, the value
has no effect.
The <type> may be rsa (the default) or dsa.
• -B <nbits> or --bits=<nbits>
Sets the number of bits in the key to be generated. When RSA keys
are in use, this option affects only the init, req, and req+sign com‐
mands, and the same value should be given each time. With DSA keys
are in use, this option affects only the init command.
The value must be at least 1024. The default is 2048.
• -D <file> or --dsaparam=<file>
Specifies an alternate location for the dsaparam.pem file required by
the req and req+sign commands. This option affects only these com‐
mands, and only when DSA keys are used.
The default is dsaparam.pem under the PKI hierarchy.
• -b or --batch
Suppresses the interactive verification of fingerprints that the sign
command by default requires.
• -d <dir> or --dir=<dir>
Specifies the location of the PKI hierarchy to be used or created by
the command. All commands, except req, need access to a PKI hierar‐
chy.
The default PKI hierarchy is /var/lib/openvswitch/pki, although this
default may be changed at Open vSwitch build time
• -f or --force
By default, ovs-pki will not overwrite existing files or directories.
This option overrides this behavior.
• -l <file> or --log=<file>
Sets the log file to <file>. The default is ovs-pki.log in the OVS
log directory. The default OVS log directory is /var/log/open‐
vswitch, although this default may be changed at Open vSwitch build
time.
• -u or --unique
Changes the format of the certificate’s Common Name (CN) field. By
default, this field has the format <name> id:<uuid-or-date>. This
option causes the provided name to be treated as unique and changes
the format of the CN field to be simply <name>.
• -h or --help
Prints a help usage message and exits.
AUTHOR
The Open vSwitch Development Community
COPYRIGHT
2016-2024, The Open vSwitch Development Community
3.6 Aug 18, 2025 OVS-PKI(8)