Comment 2 for bug 1630513

I'm not building an app, just trying to use Contrail with OpenStack configured with SSL and company-wide CA.

With current code, if I'd like contrail to use SSL from compute node to keystone, I have two options. I can specify nothing in vnc_api_lib.ini or specify key, cert and CA. If I don't specify anything, then python will (or it should) read system wide CA's. If python is well installed and configured, then this will just work. This is not the case with Juniper Contrail OpenStack, which installs python-certifi with broken CA path (on Ubuntu, it overrides system's default and points to CA in /usr/share/python2.7/dist-packages... instead of pointing to /etc/ssl/certs/ca-certificates.crt).

So, now I'm on compute node that also uses vnc_api_lib.py and the only way to trigger requests.post(url, data=self._authn_body, headers=self._DEFAULT_AUTHN_HEADERS, verify=self._kscertbundle) is to specify a keyfile too (_use_ks_certs is set only when all three are defined).

keyfile config option, according to link above is a private key of keystone.

Therefore, instead of relying only on CA or on CA and the cert, clients need to specify keystone's private key. Again, this is not actually required, but contrail's vnc_api_lib for some reason requires it.