Keystone should not require CA key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Low
|
Unassigned |
Bug Description
Why do we need CA key? In a real deployment I were to get a cert for my server from Verisign, then verisign won't provide its key.
Basically the code should work without CA key.
I believe it is not required for ssl setup and signing.
[ssl]
#enable = True
#certfile = /etc/keystone/
#keyfile = /etc/keystone/
#ca_certs = /etc/keystone/
#ca_key = /etc/keystone/
#key_size = 1024
#valid_days = 3650
#cert_required = False
#cert_subject = /C=US/ST=
[signing]
# Deprecated in favor of provider in the [token] section
# Allowed values are PKI or UUID
#token_format =
#certfile = /etc/keystone/
#keyfile = /etc/keystone/
#ca_certs = /etc/keystone/
#ca_key = /etc/keystone/
#key_size = 2048
#valid_days = 3650
#cert_subject = /C=US/ST=
tags: | added: pki |
Changed in keystone: | |
assignee: | nobody → Dave Chen (wei-d-chen) |
assignee: | Dave Chen (wei-d-chen) → nobody |
Changed in keystone: | |
assignee: | nobody → Jason O'Brien (jason10258) |
Changed in keystone: | |
assignee: | Jason O'Brien (jason10258) → nobody |
Changed in keystone: | |
assignee: | nobody → Ron De Rose (ronald-de-rose) |
Changed in keystone: | |
assignee: | Ron De Rose (ronald-de-rose) → nobody |
Keystone does not require a CA Key, it generates one only for the "self sign" use case. It does need a signing key and a certificate signed with that key for signing tokens. The text above is not used during normal operations, just during selfsign key generation.