Server Manager support for tls certificate and key distribution
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.0 |
Fix Committed
|
Critical
|
prasad miriyala | |||
Trunk |
Fix Committed
|
Critical
|
prasad miriyala |
Bug Description
Server Manager will need to act as interim-CA during provisioning phase and generate key and certs for each of the physical servers
listed in testbed.py.
ServerManager needs to generate the following three files and copy it to each of the servers
1) /etc/contrail/
2) /etc/contrail/
a) This is the certificate of the physical server generated using the hostname (FQDN) in testbed.py
b) Server Manager will need to sign the server certificate and generate server.pem and store at the default location.
3)/etc/
This is the server-manager certificate that will be used by servers to verify the certificates as issued by a trusted CA.
The certificate is generated and stored at the default location.
In addition the ServerManager also needs to support CRL (certificate Revocation List) i,e when a node is removed from
testbed.py then the certs will need to be removed from the default location.
The following commands were used to generated certs, keys and signed by CA
=======
Step 1: Generate a Private Key for rootCA
=======
openssl genrsa -out rootCA.key 1024
Step 2: Generate a Self Signed rootCA certificate
=======
openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
(Install rootCA.pem on all nodes as cacert.pem).
Step3: Generate a Private Key for each of the nodes
=======
openssl genrsa -out server_a6s17.key 1024
Step 3: Generate a CSR (Certificate Signing Request) which u will send to CA
=======
openssl req -new -key server_a6s17.key -out server_a6s17.csr
Step 4: Generating a rootCA signed certificate
=======
openssl x509 -req -in server_a6s18.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial
-out server_a6s18.pem -days 365
Verify contents of certificate
=======
openssl x509 -noout -text -in server.pem
Changed in juniperopenstack: | |
importance: | Undecided → Critical |
assignee: | nobody → prasad miriyala (pmiriyala) |
milestone: | none → r3.0-fcs |
tags: | added: blocker |
description: | updated |
description: | updated |
Changed in juniperopenstack: | |
milestone: | none → r3.1.0.0-fcs |
Changed in juniperopenstack: | |
milestone: | none → r3.1.0.0-fcs |
information type: | Proprietary → Public |
In case server-manager and server are the same, we will generate two separate private keys and all keys and certs related to
server-manager will be store under /root