OpenStack Identity (keystone)

Keystone should not require CA key

Bug #1287414 reported by Haneef Ali
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Won't Fix
Low
Unassigned

Bug Description

Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key.

Basically the code should work without CA key.

I believe it is not required for ssl setup and signing.

[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =

#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#ca_key = /etc/keystone/ssl/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

Tags: pki
Revision history for this message
Adam Young (ayoung) wrote :

Keystone does not require a CA Key, it generates one only for the "self sign" use case. It does need a signing key and a certificate signed with that key for signing tokens. The text above is not used during normal operations, just during selfsign key generation.

Changed in keystone:
status: New → Invalid
Revision history for this message
Haneef Ali (haneef) wrote :

Those should be removed from config file as it is not required. Why do we want to have them in config file?

Revision history for this message
Dolph Mathews (dolph) wrote :

Agree, there's no reason why the CA key should be specified in keystone.conf when the path can be specified directly to ssl_setup / pki_setup for bootstrapping a self-signed deployment.

Changed in keystone:
importance: Undecided → Low
status: Invalid → Triaged
Dolph Mathews (dolph)
tags: added: pki
Dave Chen (wei-d-chen)
Changed in keystone:
assignee: nobody → Dave Chen (wei-d-chen)
assignee: Dave Chen (wei-d-chen) → nobody
Jason O'Brien (jason10258)
Changed in keystone:
assignee: nobody → Jason O'Brien (jason10258)
Jason O'Brien (jason10258)
Changed in keystone:
assignee: Jason O'Brien (jason10258) → nobody
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/244414

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

PKI Tokens are Deprecated - this was in support of pki tokens.

Changed in keystone:
status: In Progress → Won't Fix
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Ron De Rose (<email address hidden>) on branch: master
Review: https://review.openstack.org/244414

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.