From 496d0fe53648c34b1fbcce008314c6bbf1582ee2 Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Thu, 13 Aug 2009 15:14:39 -0700 Subject: [PATCH] ovs-pki: Add uniqueness to CA certs When ovs-pki is used for CA cert generation, it generates certificates that are identical except for the public key. If multiple controllers are their own certificate authorities, the switch will receive multiple CA certs that are identical other than their key. Unfortunately, OpenSSL cannot distinguish between them. This is an excerpt of the SSL_CTX_load_verify_locations function used by vconn-ssl: Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verified. If these data do not match, the next certificate will be tried. If a first certificate matching the parameters is found, the verification process will be performed; no other certificates for the same parameters will be searched in case of failure. To work around this, we add a bit of uniqueness to each certificate. In this commit, we add the generation time to the subject name. Please note that the CN field is limited to 64 bytes, so a bit of name compression needed to take place in order to fit the time. Bug #1782 --- utilities/ovs-pki.in | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index bcfe736e..22b5f2a0 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -193,6 +193,9 @@ if test "$command" = "init"; then openssl dsaparam -out dsaparam.pem $bits 1>&3 2>&3 fi + # Get the current date to add some uniqueness to this certificate + curr_date=`date +"%Y %b %d %T"` + # Create the CAs. for ca in controllerca switchca; do echo "Creating $ca..." >&2 @@ -212,9 +215,9 @@ if test "$command" = "init"; then cp ../dsaparam.pem . fi - # Write CA configuration file. + # Write CA configuration file. if test ! -e ca.cnf; then - sed "s/@ca@/$ca/g" > ca.cnf <<'EOF' + sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF' [ req ] prompt = no distinguished_name = req_distinguished_name @@ -225,7 +228,7 @@ ST = CA L = Palo Alto O = Open vSwitch OU = @ca@ -CN = Open vSwitch @ca@ CA Certificate +CN = OVS @ca@ CA Certificate (@curr_date@) [ ca ] default_ca = the_ca -- 2.30.2