Improve TLS handling with Fuel
We should improve TLS certificate handling in Fuel.
Specifically, we should provide the following capabilities:
1. Self signed certificate improvements:
Currently Fuel only provides ability to provide custom 'Common Name' attribute, which should usually match FQDN of Horizon virtual IP address. We should improve this and provide ability to input additional custom certificate attributes like: Country Name, State or Province Name, Locality Name, Organization Name, email address.
2. According to IETF specification [1] and urllib default behavior [2], it is desired to set 'Subject Alternate Name' and 'dNSName' in X.509 certificate attributes. Fuel should set properly not only CommonName attribute, but also assign subjectAltName and dNSName according to API endpoint IP addresses and DNS names or customer entered alternate names [3].
4. Customer's certificate improvements:
Provide ability to upload custom TLS certificates along with corresponding private key in two separate files.
As of Fuel 7.0 users are forced to couple TLS certificate along with private key in one file, which is not optimal for some users.
References:
[1] https:/
[2] https:/
[3] https:/
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Adam Heczko
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Move CN to SAN: already done (https:/
