ETSI GR NFV-SEC 005 V1.2.1 (2021-07)

ETSI GR NFV-SEC 005 V1.2.1 (2021-07)






GROUP REPORT
Network Functions Virtualisation (NFV);
Trust;
Report on Certificate Management
Disclaimer
The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry
Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)

Reference
RGR/NFV-SEC005ed121
Keywords
certificate, NFV, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2021.
All rights reserved.

ETSI

---------------------- Page: 2 ----------------------
3 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 7
3.1 Terms . 7
3.2 Symbols . 7
3.3 Abbreviations . 7
4 Rationale and approach for the use of public key certificates . 8
4.1 Scope . 8
4.2 PKI Participants . 8
4.2.0 Introduction. 8
4.2.1 Certificate Authorities . 9
4.2.2 Registration Authorities . 9
4.2.3 Subscribers . 9
4.2.4 Relying Parties . 10
4.2.5 Auditors . 10
4.3 Mapping of secure relationships to NFV reference points . 10
4.4 Use Cases for the use of certificates in NFV . 11
4.5 Considerations for PKC validation . 12
4.5.1 Certificate path building and chain validation . 12
5 Use cases for the use of certificates in NFV. 14
5.1 VNF certificate use case . 14
5.1.0 Introduction to use cases . 14
5.1.1 Use case #1: VNF management connection . 14
5.1.2 Use case #2: VNF transport connection . 15
5.2 MANO certificate use case . 16
5.3 OSS/BSS/EM certificate use case . 16
6 Analysis . 16
6.1 General . 16
6.2 Deployment scenarios . 16
7 Certificate management framework . 21
7.1 Certificate hierarchy . 21
7.2 Certificate category . 22
8 NFV certificate lifecycle management . 23
8.1 Certificate generation . 23
8.1.1 Initial Credential . 23
8.1.1.1 Key pair generation . 23
8.1.1.1.1 Option 1: NFVI generates key pair . 23
8.1.1.1.2 Option 2: HMEE generates key pair . 24
8.1.1.1.3 Option 3: HSM generates key pair . 25
8.1.2 VNFCI Certificate . 27
8.1.2.0 Introduction to VNFCI certificate issuance . 27
8.1.2.1 Option 1: VNFCI generates key pair, constructs and signs certificate request . 27
8.1.2.2 Option 2: VNFCI generates key pair, constructs certificate request, and VNFM signs certificate
request . 29
8.2 Certificate update . 32
9 NFV Certificate Management . 32
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
9.0 Introduction . 32
9.1 MANO and other functional blocks . 32
9.2 Tenant domain . 33
9.2.1 VNF certificate . 33
9.2.1.0 Introduction . 33
9.2.1.1 ID and certificate management in VNF . 33
9.2.1.2 Certificate lifecycle and VNF lifecycle . 37
9.2.1.3 VNF instantiation . 37
9.2.1.4 VNF scaling . 38
9.2.1.5 VNF migration . 38
9.2.1.6 VNF update/upgrade . 38
9.2.1.7 VNF termination . 39
9.3 Certificate Provisioning . 39
9.4 Trust chain management . 40
10 Recommendations . 40
10.1 Overview . 40
10.2 General recommendations . 41
10.3 Functional recommendations. 41
10.4 Reference points and/or interfaces recommendations . 43
10.5 Various considerations for certificate automation, trust handling and PKI structures . 45
10.5.1 Concepts . 45
10.5.2 Certificate categories . 45
10.5.3 Trust assumptions . 47
10.5.4 Proposed PKI Structure . 48
11 Conclusion . 50
History . 51

ETSI

---------------------- Page: 4 ----------------------
5 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP
Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the
®
oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
1 Scope
The present document provides guidance to the development community on the use of Public Key Certificates,
Attribute Certificates and the supporting infrastructure, including Registration Authorities, and Certificate Authorities.
The present document provides this guidance in the context of a number of use cases and references to other
publications of ETSI ISG NFV.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Void.
[i.2] ETSI GS NFV 002: "Network Functions Virtualisation (NFV); Architectural Framework".
[i.3] ETSI GS NFV 003: "Network Functions Virtualisation (NFV); Terminology for Main Concepts in
NFV".
[i.4] ETSI GS NFV 004: "Network Functions Virtualisation (NFV); Virtualisation Requirements".
[i.5] ETSI GS NFV-MAN 001: "Network Functions Virtualisation (NFV); Management and
Orchestration".
[i.6] Void.
[i.7] Void.
[i.8] ETSI GS NFV-SEC 001: "Network Functions Virtualisation (NFV); NFV Security; Problem
Statement".
[i.9] Void.
[i.10] ETSI GS NFV-SEC 009: "Network Functions Virtualisation (NFV); NFV Security; Report on use
cases and technical approaches for multi-layer host administration".
[i.11] ETSI GS NFV-SEC 012: "Network Functions Virtualisation (NFV) Release 3; Security; System
architecture specification for execution of sensitive NFV components".
[i.12] Void.
[i.13] Recommendation ITU-T X.509: "Information technology - Open Systems Interconnection - The
Directory: Public-key and attribute certificate frameworks".
[i.14] IETF RFC 3647: "Internet X.509 Public Key Infrastructure Certificate Policy and Certification
Practices Framework".
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
[i.15] IETF RFC 8446: "The Transport Layer Security (TLS) Protocol Version 1.3".
[i.16] IETF RFC 7030: "Enrollment over Secure Transport".
[i.17] IETF RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile".
[i.18] IETF RFC 4210: "Internet X.509 Public Key Infrastructure Certificate Management Protocol
(CMP)".
[i.19] ETSI TS 133 310: "Universal Mobile Telecommunications System (UMTS); LTE; Network
Domain Security (NDS); Authentication Framework (AF) (3GPP TS 33.310)".
[i.20] IETF RFC 8894: "Simplified Certificate Enrollment Protocol".
[i.21] IETF RFC 8295: "EST (Enrollment over Secure Transport) Extensions".
[i.22] ETSI GS NFV-SEC 021: "Network Functions Virtualisation (NFV) Release 2; Security; VNF
Package Security Specification".
[i.23] ETSI GS NFV-SEC 023: "Network Functions Virtualisation (NFV) Release 4; Security; Container
Security Specification".
[i.24] ETSI GS NFV-IFA 040: "Network Functions Virtualisation (NFV) Release 4; Management and
Orchestration; Requirements for service interfaces and object model for OS container management
and orchestration specification".
®
[i.25] Kubernetes API v1.21.
NOTE: Available at https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/.
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the terms given in ETSI GS NFV 003 [i.3] and the following apply:
attribute certificate: data structure, digitally signed by an Attribute Authority, that binds some attribute values with
identification information about its holder
trust chain: data structure, containing a sequence of Certificate Authority certificates where each certificate is signed
by the subsequent certificate in the file, ending in a root Certificate Authority certificate
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI GS NFV 003 [i.3] and the following apply:
CA Certificate Authority
CP Certificate Policy
PKC Public Key Certificate
PKI Public Key Infrastructure
RA Registration Authority
RCA Root CA
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
4 Rationale and approach for the use of public key
certificates
4.1 Scope
The present document provides a guide to the use of Public Key Infrastructures (PKI) for the purpose of distributing
Public Key Certificates (PKC) as applicable to the ETSI ISG NFV for the support of Public Key Cryptography in
authenticating, authorizing and encrypting links between objects in NFV.
Each operator should develop Certificate Policy in accordance with their regional and national requirements. The
present document assumes that the reader is generally familiar with Digital Signatures, PKIs, and core ETSI NFV
specifications. The present document is consistent with the Internet X.509 Certificate Policy and Certification Practices
Framework as defined in IETF RFC 3647 [i.14]. The certificate policy defines the structure of PKI.
NOTE: The PKIs described in the present document are privately managed, thus non-private (non-permissioned)
PKIs are out of scope of the present document.
4.2 PKI Participants
4.2.0 Introduction
An NFV PKI can be implemented as a multi-tier hierarchy with a Root Certification Authority (RCA) at tier 1. There
may be many certificate chains anchored by the RCA. Identified chains can be organized functionally and might include
NFVI, VNF, MANO, and Support (such as OSS/BSS). A representative certificate hierarchy is shown in figure 4.2.0-1.
The fewer tiers there are in the hierarchy, the smaller attack surface is, at the cost of limiting the number of trust
domains.
The end-entity certificate, its private key, and all sub-CA certificates for a given CA chain should be installed on the
device (hardware resource or software element, as appropriate). During authentication messaging exchange (using TLS
or similar protocol) the end-entity and all sub-CA chain certificates should be sent to the other end point.
Root CA
Security Monitor
NFVI Sub-CA MANO Sub-
VNF Sub-CA LI Sub-CA
Sub-CA
CA
NFVO
NFVI LI Element
VNFI
Security Monitor
Element
VNFM
VNFCI
VIM

Figure 4.2.0-1: ETSI NFV PKI Certificate Hierarchy
ETSI

---------------------- Page: 8 ----------------------
9 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
Support of multiple roots is possible and when used it is expected to be specified by the operator. To anchor trust,
certificates issued in ecosystems comprised of multiple roots have to be verifiable (chainable) to the corresponding root.
This may be accomplished by cross signing certificates or allowing subscribers to honour multiple roots. This may
provide ecosystem supply chain benefits at the risk of a substantially increased PKI attack surface. Furthermore, PKI
operations of either deploying multiple valid chains or executing cross signing while achieving security over time has
proven difficult.
PKI participants can include registration authorities, subscribers, relying parties, and auditors. PKI participants are
described below.
4.2.1 Certificate Authorities
The entities called Certificate Authorities (CAs) are the heart of the ETSI NFV PKI. The CA is an aggregate term
encompassing the collection of hardware, software, and operating personnel that create, sign, and issue public key
certificates to Subscribers or other CAs. The CAs are responsible for:
• Implementing and maintaining a Certificate Policy (CP).
• Issuing compliant certificates.
• Delivery of certificates to Subscribers in accordance with the CP and other documents such as a Subscriber
Agreement.
• Revocation of certificates.
• Generation of key pairs, protection, operation, and destruction of CA private keys.
• CA certificate lifecycle management ensure that all aspects of the CA services, operations, and infrastructure
related to certificates issued under the CP are in fact compliant to the CP.
• Facilitating as a trusted party the confirmation of the binding between a public key and the identity, and/or
other attributes, of the "Subject" of the certificate.
Sub-CAs are operated by designated sub-CA service providers and issue end-entity device certificates to subscribers.
4.2.2 Registration Authorities
Registration authorities (RAs) are entities that enter into an agreement with a CA to collect and verify each Subscriber's
identity and information to be entered into the Subscriber's certificates. The RA performs its function in accordance
with the CP and will perform front-end functions of confirming the identity of the certificate applicant, approving or
denying certificate applications (manual) or requests (dynamic), requesting revocation of certificates, and managing
account renewals.
4.2.3 Subscribers
The Subscriber is an organization or process acting on behalf of an organization identified in a Digital Certificate
Subscriber Agreement (DCSA). The Subscriber is responsible for completing the certificate application or request. The
CA relies on the RA to confirm the identity of the Certificate Applicant and either approves or denies the application or
request. If approved, the RA communicates to the CA, and the Subscriber can then request certificates.
Subscribers are expected to comply to both CP requirements and any additional certificate management practices that
govern the Subscribers' request for certificates and for handling the corresponding private keys. The Subscriber agrees
to be bound by its obligations through execution of the DCSA between the Subscriber and the RA, and any other
applicable agreements.
Technically, CAs are also Subscribers of certificates within a PKI, either as a Root CA issuing a self-signed certificate
to itself, or as a sub-CA. However, in the present document, Subscriber apply only to the organization requesting device
certificates, including those Subscribers who may have arranged to have a sub-CA operated onsite at their facility.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI GR NFV-SEC 005 V1.2.1 (2021-07)
4.2.4 Relying Parties
Relying Parties validate the binding of a public key to a Subscriber's name in a device certificate. The RP is responsible
for deciding whether or how to check the validity of a certificate by checking the appropriate certificate status
information. The RP can use the certificate to verify the integrity of a digitally signed message, to identify the initiator
of a communication, to attest the validity of a device setting or software component, or establish confidential
communications with the holder of the certificate. For instance, an NFVi resource can use the device certificate
presented by a Support server providing a firmware update and validate the signature of the signed firmware.
4.2.5 Auditors
PKI participants complia
...