mirror of
https://github.com/openvswitch/ovs
synced 2025-10-29 15:28:56 +00:00
cfdaff25e0
Utilities like ovs-vsctl have the ability to bootstrap CA certificate. It looks useful for ovn-nbctl to have the same ability too. One could connect over to OVN NB database over SSL for transactions without having to copy over the certificate being used by ovsdb-server backing OVN NB. Signed-off-by: Gurucharan Shetty <guru@ovn.org> Acked-by: Lance Richardson <lrichard@redhat.com> Acked-by: Ben Pfaff <blp@ovn.org>
31 lines
1.2 KiB
XML
31 lines
1.2 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<dl>
|
|
<dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt>
|
|
<dd>
|
|
<p>
|
|
When <var>cacert.pem</var> exists, this option has the same effect
|
|
as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
|
|
then the executable will attempt to obtain the CA certificate from the
|
|
SSL peer on its first SSL connection and save it to the named PEM
|
|
file. If it is successful, it will immediately drop the connection
|
|
and reconnect, and from then on all SSL connections must be
|
|
authenticated by a certificate signed by the CA certificate thus
|
|
obtained.
|
|
</p>
|
|
<p>
|
|
This option exposes the SSL connection to a man-in-the-middle
|
|
attack obtaining the initial CA certificate, but it may be useful
|
|
for bootstrapping.
|
|
</p>
|
|
<p>
|
|
This option is only useful if the SSL peer sends its CA certificate as
|
|
part of the SSL certificate chain. The SSL protocol does not require
|
|
the server to send the CA certificate.
|
|
</p>
|
|
<p>
|
|
This option is mutually exclusive with <code>-C</code> and
|
|
<code>--ca-cert</code>.
|
|
</p>
|
|
</dd>
|
|
</dl>
|