← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1287414] [NEW] Keystone should not require CA key

 

Public bug reported:

Why do we need CA key?  In a real deployment I were to get a  cert for
my server from Verisign, then verisign won't provide its key.

Basically the code should work without CA key.


I believe it is not required for ssl setup and signing.


[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =

#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1287414

Title:
  Keystone should not require CA key

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Why do we need CA key?  In a real deployment I were to get a  cert for
  my server from Verisign, then verisign won't provide its key.

  Basically the code should work without CA key.

  
  I believe it is not required for ssl setup and signing.

  
  [ssl]
  #enable = True
  #certfile = /etc/keystone/ssl/certs/keystone.pem
  #keyfile = /etc/keystone/ssl/private/keystonekey.pem
  #ca_certs = /etc/keystone/ssl/certs/ca.pem
  #ca_key = /etc/keystone/ssl/private/cakey.pem
  #key_size = 1024
  #valid_days = 3650
  #cert_required = False
  #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

  [signing]
  # Deprecated in favor of provider in the [token] section
  # Allowed values are PKI or UUID
  #token_format =

  #certfile = /etc/keystone/ssl/certs/signing_cert.pem
  #keyfile = /etc/keystone/ssl/private/signing_key.pem
  #ca_certs = /etc/keystone/ssl/certs/ca.pem
  #ca_key = /etc/keystone/ssl/private/cakey.pem
  #key_size = 2048
  #valid_days = 3650
  #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1287414/+subscriptions


Follow ups

References