Allow using pre-generated certificates

[louisroyer]

When using oauth, a new NRF certificate is generated at each restart of the NRF, and a new certificate is generated by the NRF for each NF at registration time, making hard to have different NFs on multiple machines not sharing a common filesystem.
When using a certificate from a read-only volume or from a docker secret, the NRF fails with the following:

nrf  | 2025-03-04T10:36:10.592280016Z [INFO][NRF][Init] generate new NRF cert [context.go:100][InitNrfContext()]
nrf  | 2025-03-04T10:36:10.594107273Z [ERRO][NRF][Init] NRF init: gen cert file create: open /run/secrets/openssl_nrf_sbi_pem: read-only file system [init.go:51][NewApp()]
nrf  | 2025-03-04T10:36:10.594123284Z [ERRO][NRF][Main] NRF Run Error: NRF init: gen cert file create: open /run/secrets/openssl_nrf_sbi_pem: read-only file system [main.go:37][main()]

1. Please allow using existing certificate if the file exists.
   

   nrf/internal/context/context.go

   Lines 99 to 105 in dd0a6e4

   	nrfCertPath := config.GetNrfCertPemPath()
   	logger.InitLog.Infof("generate new NRF cert")
   	nrfContext.NrfCert, err = oauth.GenerateCertificate(
   	string(nrfContext.NrfNfProfile.NfType), nrfContext.Nrf_NfInstanceID,
   	nrfCertPath, nrfContext.NrfPubKey, nrfContext.RootCert, nrfContext.RootPrivKey)
   	if err != nil {
   	return errors.Wrapf(err, "NRF init")

2. Same here:
   

   nrf/internal/context/context.go

   Lines 191 to 197 in dd0a6e4

   	// Re-generate new NF's Certificate to new file
   	_, err = oauth.GenerateCertificate(
   	nfType, nfId, newCertPath, nfPubkey, nrfContext.RootCert, nrfContext.RootPrivKey)
   	if err != nil {
   	return errors.Wrapf(err, "sign NF cert")
   	}
   	}

3. And allow using a configurable basepath + filename for each NF certificate (specified by configuration file), or (ideally) retrieve NFs certificates directly from http at registration time.
   

   nrf/internal/context/context.go

   Lines 154 to 155 in dd0a6e4

   	nfCertPath := oauth.GetNFCertPath(factory.NrfConfig.GetCertBasePath(), nfType, "")
   	newCertPath := oauth.GetNFCertPath(factory.NrfConfig.GetCertBasePath(), nfType, nfId)

   
   https://github.com/free5gc/openapi/blob/6ef25ba56c887f5925b166dcc57cf5f10ed1e455/oauth/oauth.go#L303-L306

[andy89923]

We use NfId in the certificate, and the NfId is generated when the NF starts.
That is why NRF will generate a new certificate each time.

[andy89923]

If we predefine NfId in the config, with a bit of adjustment of code, the NRF certificate could be share before NFs start.

[louisroyer]

Since the "register IP" is supposed to be unique per Nf instance, maybe we could use UUID v5 (with the SHA-1 hashing of context.UriScheme + context.RegisterIPv4) instead of UUID v4 (pseudo-randomly generated) for NfId.
This will avoid users having to generate NfId themselves…
Nevermind, actually we can register multiple IPs per instance, so your config based approach is better.