1 .TH ofp\-pki 8 "May 2008" "OpenFlow" "OpenFlow Manual"
4 ofp\-pki \- OpenFlow public key infrastructure management utility
7 \fBofp\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
9 Stand\-alone commands with their arguments:
11 \fBofp\-pki\fR \fBinit\fR
13 \fBofp\-pki\fR \fBreq\fR \fINAME\fR
15 \fBofp\-pki\fR \fBsign\fR \fINAME\fR [\fITYPE\fR]
17 \fBofp\-pki\fR \fBreq+sign\fR \fINAME\fR [\fITYPE\fR]
19 \fBofp\-pki\fR \fBverify\fR \fINAME\fR [\fITYPE\fR]
21 \fBofp\-pki\fR \fBfingerprint\fR \fIFILE\fR
23 \fBofp\-pki\fR \self-sign\fR \fINAME\fR
25 The following additional commands manage an online PKI:
27 \fBofp\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
29 \fBofp\-pki\fR \fBflush\fR [\fITYPE\fR]
31 \fBofp\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
33 \fBofp\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
35 \fBofp\-pki\fR \fBprompt\fR [\fITYPE\fR]
37 \fBofp\-pki\fR \fBexpire\fR [\fIAGE\fR]
39 Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
40 (default) or \fBcontroller\fR.
42 The available options are:
44 [\fB\-k\fR \fItype\fR | \fB\-\^\-key=\fItype\fR]
45 [\fB\-B\fR \fInbits\fR | \fB\-\^\-bits=\fInbits\fR]
46 [\fB\-D\fR \fIfile\fR | \fB\-\^\-dsaparam=\fIfile\fR]
47 [\fB\-b\fR | \fB\-\^\-batch\fR]
48 [\fB\-f\fR | \fB\-\^\-force\fR]
49 [\fB\-d\fR \fIdir\fR | \fB\-\^\-dir=\fR\fIdir\fR]
50 [\fB\-l\fR \fIfile\fR | \fB\-\^\-log=\fIfile\fR]
51 [\fB\-h\fR | \fB\-\^\-help\fR]
53 Some options do not apply to every command.
56 The \fBofp\-pki\fR program sets up and manages a public key
57 infrastructure for use with OpenFlow. It is intended to be a simple
58 interface for organizations that do not have an established public key
59 infrastructure. Other PKI tools can substitute for or supplement the
60 use of \fBofp\-pki\fR.
62 \fBofp\-pki\fR uses \fBopenssl\fR(1) for certificate management and key
65 .SH "OFFLINE COMMANDS"
67 The following \fBofp\-pki\fR commands support manual PKI
72 Initializes a new PKI (by default in directory \fB@PKIDIR@\fR) and populates
73 it with a pair of certificate authorities for controllers and
76 This command should ideally be run on a high\-security machine separate
77 from any OpenFlow controller or switch, called the CA machine. The
78 files \fBpki/controllerca/cacert.pem\fR and
79 \fBpki/switchca/cacert.pem\fR that it produces will need to be copied
80 over to the OpenFlow switches and controllers, respectively. Their
81 contents may safely be made public.
83 By default, \fBofp\-pki\fR generates 2048\-bit RSA keys. The \fB\-B\fR
84 or \fB\-\^\-bits\fR option (see below) may be used to override the key
85 length. The \fB\-k dsa\fR or \fB\-\^\-key=dsa\fR option may be used to use
86 DSA in place of RSA. If DSA is selected, the \fBdsaparam.pem\fR file
87 generated in the new PKI hierarchy must be copied to any machine on
88 which the \fBreq\fR command (see below) will be executed. Its
89 contents may safely be made public.
91 Other files generated by \fBinit\fR may remain on the CA machine.
92 The files \fBpki/controllerca/private/cakey.pem\fR and
93 \fBpki/switchca/private/cakey.pem\fR have particularly sensitive
94 contents that should not be exposed.
98 Generates a new private key named \fINAME\fR\fB\-privkey.pem\fR and
99 corresponding certificate request named \fINAME\fR\fB\-req.pem\fR.
100 The private key can be intended for use by a switch or a controller.
102 This command should ideally be run on the switch or controller that
103 will use the private key to identify itself. The file
104 \fINAME\fR\fB\-req.pem\fR must be copied to the CA machine for signing
105 with the \fBsign\fR command (below).
107 This command will output a fingerprint to stdout as its final step.
108 Write down the fingerprint and take it to the CA machine before
109 continuing with the \fBsign\fR step.
111 When RSA keys are in use (as is the default), \fBreq\fR, unlike the
112 rest of \fBofp\-pki\fR's commands, does not need access to a PKI
113 hierarchy created by \fBofp\-pki init\fR. The \fB\-B\fR or
114 \fB\-\^\-bits\fR option (see below) may be used to specify the number of
115 bits in the generated RSA key.
117 When DSA keys are used (as specified with \fB\-\^\-key=dsa\fR), \fBreq\fR
118 needs access to the \fBdsaparam.pem\fR file created as part of the PKI
119 hierarchy (but not to other files in that tree). By default,
120 \fBofp\-pki\fR looks for this file in \fB@PKIDIR@/dsaparam.pem\fR, but
121 the \fB\-D\fR or \fB\-\^\-dsaparam\fR option (see below) may be used to
122 specify an alternate location.
124 \fINAME\fR\fB\-privkey.pem\fR has sensitive contents that should not be
125 exposed. \fINAME\fR\fB\-req.pem\fR may be safely made public.
128 \fBsign\fR \fINAME\fR [\fITYPE\fR]
129 Signs the certificate request named \fINAME\fR\fB\-req.pem\fR that was
130 produced in the previous step, producing a certificate named
131 \fINAME\fR\fB\-cert.pem\fR. \fITYPE\fR, either \fBswitch\fR (default) or
132 \fBcontroller\fR, indicates the use for which the key is being
135 This command must be run on the CA machine.
137 The command will output a fingerprint to stdout and request that you
138 verify that it is the same fingerprint output by the \fBreq\fR
139 command. This ensures that the request being signed is the same one
140 produced by \fBreq\fR. (The \fB\-b\fR or \fB\-\^\-batch\fR option
141 suppresses the verification step.)
143 The file \fINAME\fR\fB\-cert.pem\fR will need to be copied back to the
144 switch or controller for which it is intended. Its contents may
145 safely be made public.
148 \fBreq+sign\fR \fINAME\fR [\fITYPE\fR]
149 Combines the \fBreq\fR and \fBsign\fR commands into a single step,
150 outputting all the files produced by each. The
151 \fINAME\fR\fB\-privkey.pem\fR and \fINAME\fR\fB\-cert.pem\fR files must
152 be copied securely to the switch or controller.
153 \fINAME\fR\fB\-privkey.pem\fR has sensitive contents and must not be
154 exposed in transit. Afterward, it should be deleted from the CA
157 This combined method is, theoretically, less secure than the
158 individual steps performed separately on two different machines,
159 because there is additional potential for exposure of the private
160 key. However, it is also more convenient.
163 \fBverify\fR \fINAME\fR [\fITYPE\fR]
164 Verifies that \fINAME\fR\fB\-cert.pem\fR is a valid certificate for the
165 given \fITYPE\fR of use, either \fBswitch\fR (default) or
166 \fBcontroller\fR. If the certificate is valid for this use, it prints
167 the message ``\fINAME\fR\fB\-cert.pem\fR: OK''; otherwise, it prints an
171 \fBfingerprint\fR \fIFILE\fR
172 Prints the fingerprint for \fIFILE\fR. If \fIFILE\fR is a
173 certificate, then this is the SHA\-1 digest of the DER encoded version
174 of the certificate; otherwise, it is the SHA\-1 digest of the entire
178 \fBself-sign\fR \fINAME\fR
179 Signs the certificate request named \fINAME\fB\-req.pem\fR using the
180 private key \fINAME\fB-privkey.pem\fR, producing a self-signed
181 certificate named \fINAMEfB\-cert.pem\fR. The input files should have
182 been produced with \fBofp\-pki req\fR.
184 Some controllers accept such self-signed certificates.
186 .SH "ONLINE COMMANDS"
188 An OpenFlow PKI can be administered online, in conjunction with
189 .BR ofp\-pki\-cgi (8)
190 and a web server such as Apache:
193 The web server exports the contents of the PKI via HTTP. All files in
194 a PKI hierarchy files may be made public, except for the files
195 \fBpki/controllerca/private/cakey.pem\fR and
196 \fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
199 \fBofp\-pki\-cgi\fR allows newly generated certificate requests for
200 controllers and switches to be uploaded into the
201 \fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
202 directories, respectively. Uploaded certificate requests are stored
203 in those directories under names of the form
204 \fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
208 These \fBofp\-pki\fR commands allow incoming certificate requests to
209 be approved or rejected, in a form are suitable for use by humans or
213 The following \fBofp\-pki\fR commands support online administration:
216 \fBofp\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
217 Lists all of the incoming certificate requests of the given \fITYPE\fR
218 (either \fBswitch\fR, the default, or \fBcontroller\fR). If
219 \fIPREFIX\fR, which must be at least 4 characters long, is specified,
220 it causes the list to be limited to files whose names begin with
221 \fIPREFIX\fR. This is useful, for example, to avoid typing in an
222 entire fingerprint when checking that a specific certificate request
226 \fBofp\-pki\fR \fBflush\fR [\fITYPE\fR]
227 Deletes all certificate requests of the given \fITYPE\fR.
230 \fBofp\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
231 Rejects the certificate request whose name begins with \fIPREFIX\fR,
232 which must be at least 4 characters long, of the given type (either
233 \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must
234 match exactly one certificate request; its purpose is to allow the
235 user to type fewer characters, not to match multiple certificate
239 \fBofp\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
240 Approves the certificate request whose name begins with \fIPREFIX\fR,
241 which must be at least 4 characters long, of the given \fITYPE\fR
242 (either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR
243 must match exactly one certificate request; its purpose is to allow
244 the user to type fewer characters, not to match multiple certificate
247 The command will output a fingerprint to stdout and request that you
248 verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option
249 suppresses the verification step.)
252 \fBofp\-pki\fR \fBprompt\fR [\fITYPE\fR]
253 Prompts the user for each incoming certificate request of the given
254 \fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
255 Based on the certificate request's fingerprint, the user is given the
256 option of approving, rejecting, or skipping the certificate request.
259 \fBofp\-pki\fR \fBexpire\fR [\fIAGE\fR]
261 Rejects all the incoming certificate requests, of either type, that is
262 older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
263 \fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR.
267 \fB\-k\fR \fItype\fR | \fB\-\^\-key=\fItype\fR
268 For the \fBinit\fR command, sets the public key algorithm to use for
269 the new PKI hierarchy. For the \fBreq\fR and \fBreq+sign\fR commands,
270 sets the public key algorithm to use for the key to be generated,
271 which must match the value specified on \fBinit\fR. With other
272 commands, the value has no effect.
274 The \fItype\fR may be \fBrsa\fR (the default) or \fBdsa\fR.
277 \fB\-B\fR \fInbits\fR | \fB\-\^\-bits=\fInbits\fR
278 Sets the number of bits in the key to be generated. When RSA keys are
279 in use, this option affects only the \fBinit\fR, \fBreq\fR, and
280 \fBreq+sign\fR commands, and the same value should be given each time.
281 With DSA keys are in use, this option affects only the \fBinit\fR
284 The value must be at least 1024. The default is 2048.
287 \fB\-D\fR \fIfile\fR | \fB\-\^\-dsaparam=\fIfile\fR
288 Specifies an alternate location for the \fBdsaparam.pem\fR file
289 required by the \fBreq\fR and \fBreq+sign\fR commands. This option
290 affects only these commands, and only when DSA keys are used.
292 The default is \fBdsaparam.pem\fR under the PKI hierarchy.
295 \fB\-b\fR | \fB\-\^\-batch\fR
296 Suppresses the interactive verification of fingerprints that the
297 \fBsign\fR and \fBapprove\fR commands by default require.
300 \fB\-d\fR \fIdir\fR | \fB\-\^\-dir=\fR\fIdir\fR
301 Specifies the location of the PKI hierarchy to be used or created by
302 the command (default: \fB@PKIDIR@\fR). All commands, except \fBreq\fR,
303 need access to a PKI hierarchy.
306 \fB\-f\fR | \fB\-\^\-force\fR
307 By default, \fBofp\-pki\fR will not overwrite existing files or
308 directories. This option overrides this behavior.
311 \fB\-l\fR \fIfile\fR | \fB\-\^\-log=\fIfile\fR
312 Sets the log file to \fIfile\fR. If \fIfile\fR starts with \fB/\fR,
313 it is taken as an absolute path; otherwise it is relative to @LOGDIR@.
314 Default: \fBofp\-pki.log\fR.
317 \fB\-h\fR | \fB\-\^\-help\fR
318 Prints a help usage message and exits.
322 .BR ofp\-pki\-cgi (8),