Use Certmonger to manage the certificates for Keystone
Certmonger is a tool designed for requesting and refreshing X509 certiicates: https:/
It is supported on both Fedora and Debian based distributions, and can talk to multiple CA servers. Using it removes the openssl specific code in Keystone, and will provide logicial tie in with a production PKI
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Adam Young
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
as discussed at the summit, this work should not have any direct impact on keystone, but could potentially be demonstrated in devstack, docs, etc
Disagree. It will be used to deprecate he pki and ssl setup functions. Please leave BP as a placeholder for that. Those functions need to be removed, as they area leading people into poor certificate management.
Gerrit topic: https:/
Addressed by: https:/
certmonger
Work Items
Work items:
ayoung add package dependency on certmonger: TODO
ayoung change call in pki_setup to be a getcert request using self signed CA: TODO
ayoung provide addional options to pki_setup to register with external CA: TODO