Creating the SDN Controller keystore and truststore

To create the keystore and trust store, use the following procedure.

  1. Login to the system running the SDN Controller and stop the controller.

  2. As the SDN user (i.e. sudo - sdn), do the following:

  3. Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe location.

  4. Create a new keystore using the following commands:

    cd /opt/sdn/admin

    rm keystore truststore

    keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore

    You must specify a fully qualified domain for your server for the "first and last name" question as some CAs, such as VeriSign, expect it.

  5. Generate a CSR (Certificate Signing Request) for signing:

    keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr

  6. Send the sdn-server.csr to a CA to be signed.

    The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named signed.cer and the CA's certificate is root.cer. If root.cer is from your own internal CA, then you need to import root.cer into your browser as an authority.

  7. Import the signed root certificate into your keystores:

    keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot

    keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot

  8. Replace your self-signed certificate in your serverKey entry with the signed certificate from your CA (signed.cer).

    keytool -importcert -keystore keystore -file signed.cer -alias serverKey

  9. If you are operating a team of controllers in your environment, turn off self-signing for inter-controller communication:

    Under /opt/sdn/virgo/repository/usr, change the "selfsigned" value to false for the following component:

  10. If you set up a different password than the default "skyline" password for your keystore, you will need to edit /opt/sdn/virgo/configuration/tomcat-server.xml and change the keystorePass value in the <Connector port="8443"…> tag to the new keystore password.

  11. Start the controller. Continue to the next section if you are using a different keystore and truststore password than the default "skyline" password.