Open Stack

> 1. If no CA is in the path indicated by the config file, generate a self
> signed one.  The assumption is that this code will be common between pki and
> ssl setup.
> 2. Use the CA from the above path to sign the ssl certificate.

I agree with others that this will come down to ensuring high quality
support in the keystone client for ssl.  Work will need to be done to
make the client work with a user-provided certificate chain.  And we
should also think about how to make this all as transparent to the
user as possible while still ensuring that the client simply doesn't
work (while giving the appropriate error messages) if HTTPS is
expected from the server and HTTP is provided (i.e., avoid downgrade
attacks).

With regards to the devstack setup.  Are you imaging using a TLS/SSL
terminator like people will likely do in real deployments?  Or are you
thinking of building the TLS/SSL support directly into keystone?

-bryan