OpenStack Identity (keystone)

Use Certmonger to manage the certificates for Keystone

Registered by Adam Young

This blueprint has been superseded. See the newer blueprint "Deprecate pki_setup and ssl_setup" for updated plans.

Certmonger is a tool designed for requesting and refreshing X509 certiicates: https://fedorahosted.org/certmonger/
It is supported on both Fedora and Debian based distributions, and can talk to multiple CA servers. Using it removes the openssl specific code in Keystone, and will provide logicial tie in with a production PKI

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
None
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Morgan Fainberg

Related branches

Sprints

Whiteboard

as discussed at the summit, this work should not have any direct impact on keystone, but could potentially be demonstrated in devstack, docs, etc

Disagree. It will be used to deprecate he pki and ssl setup functions. Please leave BP as a placeholder for that. Those functions need to be removed, as they area leading people into poor certificate management.

Gerrit topic: https://review.openstack.org/#q,topic:certmonger,n,z

Addressed by: https://review.openstack.org/134099
    certmonger

(?)

Work Items

Work items:
ayoung add package dependency on certmonger: TODO
ayoung change call in pki_setup to be a getcert request using self signed CA: TODO
ayoung provide addional options to pki_setup to register with external CA: TODO

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.