Certificate authority and wildcard certificates

When configured to accept SSL connections, all server processes (p4d, p4p, p4broker), require a valid certificate and key pair on startup. The key and certificate files are stored in the directory specified by the P4SSLDIR environment variable. Before following the steps at Generate key and certificate, be aware of the situations that apply with a certificate authority (CA) and wildcard certificates.

If you are using certificates from a Certificate Authority

If you have a server certificate issued by a trusted certificate authority (CA),

1. Put the server certificate and any intermediary certificates into the certificate.txt file.

2. Ensure that the server certificate is first, before any intermediary certificates.

3. Make sure each following intermediate certificate directly certifies the one preceding it. The root certificate does not need to be included.

Trusted certificates do not require the P4TRUST mechanism. To learn more, see SSL/TLS connections that do not require P4TRUST in the P4 CLI Reference.

If you are using wildcard certificates and certificates with the Subject Alternative Name field

Any client application using the P4 C/C++ API supports wildcard certificates and the subject alternative name field for certificate validation. This includes not only applications like the P4V Visual Client, but also any p4 product that is acting as a client, such as the P4 CLI, P4 Broker, P4 API for PHP scripts, and a replica or edge P4D.

The wildcard specification must be in the certificate's Subject's Common Name (CN) field. Only one wildcard is supported and it must be in the left-most label. For example,

*.mycompany.com

The Subject Alternative Name (SAN) field is also checked for matching the hostname of P4PORT.

DNS and IP for SAN values are supported, but a wildcard DNS value is not supported.