Improve TLS handling with Fuel

Registered by Adam Heczko

We should improve TLS certificate handling in Fuel.
Specifically, we should provide the following capabilities:

1. Self signed certificate improvements:
Currently Fuel only provides ability to provide custom 'Common Name' attribute, which should usually match FQDN of Horizon virtual IP address. We should improve this and provide ability to input additional custom certificate attributes like: Country Name, State or Province Name, Locality Name, Organization Name, email address.

2. According to IETF specification [1] and urllib default behavior [2], it is desired to set 'Subject Alternate Name' and 'dNSName' in X.509 certificate attributes. Fuel should set properly not only CommonName attribute, but also assign subjectAltName and dNSName according to API endpoint IP addresses and DNS names or customer entered alternate names [3].

4. Customer's certificate improvements:
Provide ability to upload custom TLS certificates along with corresponding private key in two separate files.
As of Fuel 7.0 users are forced to couple TLS certificate along with private key in one file, which is not optimal for some users.

References:
[1] https://tools.ietf.org/html/rfc2818
[2] https://urllib3.readthedocs.org/en/latest/security.html
[3] https://wiki.openstack.org/wiki/SecureClientConnections

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Adam Heczko
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Move CN to SAN: already done (https://review.openstack.org/#/c/237379)

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.