When ovs-pki is used for CA cert generation, it generates certificates
that are identical except for the public key. If multiple controllers are
their own certificate authorities, the switch will receive multiple CA
certs that are identical other than their key. Unfortunately, OpenSSL
cannot distinguish between them. This is an excerpt of the
SSL_CTX_load_verify_locations function used by vconn-ssl:
Certificate matching is done based on the subject name, the key
identifier (if present), and the serial number as taken from the
certificate to be verified. If these data do not match, the next
certificate will be tried. If a first certificate matching the
parameters is found, the verification process will be performed; no
other certificates for the same parameters will be searched in case of
failure.
To work around this, we add a bit of uniqueness to each certificate. In
this commit, we add the generation time to the subject name. Please note
that the CN field is limited to 64 bytes, so a bit of name compression
needed to take place in order to fit the time.
Bug #1782
openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3
fi
+ # Get the current date to add some uniqueness to this certificate
+ curr_date=`date +"%Y %b %d %T"`
+
# Create the CAs.
for ca in controllerca switchca; do
echo "Creating $ca..." >&2
cp ../dsaparam.pem .
fi
- # Write CA configuration file.
+ # Write CA configuration file.
if test ! -e ca.cnf; then
- sed "s/@ca@/$ca/g" > ca.cnf <<'EOF'
+ sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
[ req ]
prompt = no
distinguished_name = req_distinguished_name
L = Palo Alto
O = Open vSwitch
OU = @ca@
-CN = Open vSwitch @ca@ CA Certificate
+CN = OVS @ca@ CA Certificate (@curr_date@)
[ ca ]
default_ca = the_ca
git://git.onelab.eu / sliver-openvswitch.git / commitdiff