openstack-manuals

Document how to switch out expired signing certificate with no cloud outage

Bug #1333503 reported by Anne Gentle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Medium
Alexandra Settle
openstack-manuals liberty

Bug Description

1. Generate a new signing key
2. Generate a new certificate request
3. Sign this with the existing CA to generate a new signing_cert.
4. Append the new signing cert to the old signing cert. Make sure the old cert is first in the file.
5. Remove all signing certs from all your hosts to force nova etc to download the new signing_cert(s)
6. Replace the signing key with the new signing key AND at the same time flip the signing_cert file so the new signing cert is now first in the file.

After the old cert has expired you can safely remove the old signing cert from the file.

Tags: ops-guide
Revision history for this message
Anastasia Martynova (anastasia-martynova) wrote :

Anne, would you mind providing a link to the bug, please?

Revision history for this message
Anastasia Martynova (anastasia-martynova) wrote :

Sorry, I meant a link to the doc page where this paragraph should be added. Does this place look as a good fit?:

http://docs.openstack.org/havana/config-reference/content/ch_configuring-openstack-identity.html

Section "Certificates for PKI" ?

Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: Confirmed → Triaged
Alexandra Settle (alexandra-settle)
Changed in openstack-manuals:
assignee: nobody → Alexandra Settle (alexandra-settle)
Revision history for this message
Alexandra Settle (alexandra-settle) wrote :

Hi Anne, could you please confirm if the above link is a suitable placement for this procedure? :)
Thanks.

Revision history for this message
Lana (loquacity) wrote :

Looks good to me, Alex.

Revision history for this message
Anne Gentle (annegentle) wrote :

Actually, looks like that havana content moved to the Cloud Admin Guide: http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html is where it probably should go.

Revision history for this message
Alexandra Settle (alexandra-settle) wrote :

Thanks Lana and Anne :)

This chapter is next on the list to be converted to RST, so a slight pause until that's done.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/190456

Changed in openstack-manuals:
status: Triaged → In Progress
Tom Fifield (fifieldt)
Changed in openstack-manuals:
milestone: none → liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/190456
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=8c08d85b06052021e9c2ebdde39cd3d102f77a5e
Submitter: Jenkins
Branch: master

commit 8c08d85b06052021e9c2ebdde39cd3d102f77a5e
Author: asettle <email address hidden>
Date: Thu Jun 11 12:04:04 2015 +1000

    Updating certificates-for-pki content

    Documenting how to switch out expired signing certificates
    with no cloud outage.

    Change-Id: Ib7eabbcc8c977796d5ed3eb83b54a3ce9d98cc0d
    Closes-bug: #1333503

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.