yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #11204
[Bug 1287414] Re: Keystone should not require CA key
Agree, there's no reason why the CA key should be specified in
keystone.conf when the path can be specified directly to ssl_setup /
pki_setup for bootstrapping a self-signed deployment.
** Changed in: keystone
Importance: Undecided => Low
** Changed in: keystone
Status: Invalid => Triaged
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1287414
Title:
Keystone should not require CA key
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
Why do we need CA key? In a real deployment I were to get a cert for
my server from Verisign, then verisign won't provide its key.
Basically the code should work without CA key.
I believe it is not required for ssl setup and signing.
[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1287414/+subscriptions
References
