1. Virtual Network Functions Manager Installation and User Guide
  2. Multiple HTTPS/SSL Certificate Support

20 Multiple HTTPS/SSL Certificate Support

VNFM supports multiple SSL Certificate handling automatically. During SSL handshake with a cloud, the certificate is automatically added to the keystore, which is further used to make subsequent openstack calls.

To check if the certificate has been added successfully to the keystore, the following steps can be performed.
  1. To check if the certificate has been added into the keystore file successfully, execute: 
    keytool -v -list -keystore <NAME OF THE KEYSTORE FILE > -storepass <PASSWORD OF THE KEYSTORE>
    For example: keytool -v -keystore vnfm_default.jks -storepass password

    This command returns all the certificates present inside the keystore and the corresponding information such as the Alias, Date Of Expiry, Public Keys etc.

  2. To delete certificates manually from the keystore, execute: 
    keytool -delete -keystore <NAME OF THE KEYSTORE FILE> -store pass <PASSWORD OF THE KEYSTORE> -alias <keyAlias>

Note:

  • The keystore has a format for saving the certificates/keys, therefore while removing certificates, only the keytool should be used. Manual deletion within the file can lead to keystore corruption. If the user wants to remove all the certificates from the keystore, it should be done properly by removing the all the certificates with the help of the above command. Simply truncating the data may disrupt the format of the encrypted data and therefore can corrupt the keystore.
  • If the following message is displayed on swagger after certificate is imported into vnfm_default.jks, then follow the procedure Reboot Tomcat:
    "Reason: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target"
VNFM supports openstack vim HTTP and HTTPS client both. To add that in the VNFM, perform the following steps:
  1. In VNFM deployed system, add the Openstack certificate in /var/vnfm/certificate path to support the Openstack HTTPS client.
    /var/vnfm/certificate/<certificate name>.pem
    Example:
    /var/vnfm/certificate/os-client-certificate-keystore.pem

    Note:

    The certificate must be in pem format only.
  2. To get the Openstack client certificate, run the command:
    echo -n | openssl s_client -connect <openstack stack ip>:5000 | \sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > os-client-certificate-keystore.pem
    Example:
    echo -n | openssl s_client -connect 10.10.20.137:5000 | \sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > os-client-certificate-keystore.pem
    echo -n | openssl s_client connect mvl-dev1.us.oracle.com:5000 | \sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > os-client-certificate-keystore.pem
The https certificate from Openstack is retrieved and saved in os-client-certificate-keystore.pem file.