Creating and Installing an SSL Key and Certificate on a Juniper Networks Device for Connection with SDN Controllers

 

To secure a connection between a Juniper Networks device that supports the Open vSwitch Database (OVSDB) management protocol and one or more software-defined networking (SDN) controllers, the following Secure Sockets Layer (SSL) files must be present in the /var/db/certs directory on the device:

  • vtep-privkey.pem

  • vtep-cert.pem

  • ca-cert.pem

You must create the vtep-privkey.pem and vtep-cert.pem files for the device and then install the two files in the /var/db/certs directory on the device.

Upon initial connection between a Juniper Networks device with OVSDB implemented and an SDN controller, the ca-cert.pem file is automatically generated and then installed in the /var/db/certs directory on the device.

Note

The situation at your particular site determines the possible methods that you can use to create the vtep-privkey.pem and vtep-cert.pem files and install them in the Juniper Networks device. Instead of providing procedures for all possible situations, this topic provides a procedure for one common scenario.

The procedure provided in this topic uses the OpenFlow public key infrastructure (PKI) management utility ovs-pki on a Linux computer to initialize a PKI and create the vtep-privkey.pem and vtep-cert.pem files. (If you have an existing PKI on your Linux computer, you can skip the step to initialize a new one.) By default, the utility initializes the PKI and places these files in the /usr/local/share/openvswitch/pki directory of the Linux computer.

To create and install an SSL key and certificate on a Juniper Networks device:

  1. Initialize a PKI if one does not already exist on your Linux computer.
  2. On the same Linux computer on which the PKI exists, create a new key and certificate for the Juniper Networks device.
  3. Copy only the vtep-privkey.pem and vtep-cert.pem files from the Linux computer to the /var/db/certs directory on the Juniper Networks device.