[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?
travis.mcpeak at hpe.com
Thu Oct 29 09:33:32 UTC 2015
This does seem to make a lot of sense. Basically what we will get is
an improved lowest common denominator when it comes to intra-node TLS.
This probably also fits in nicely with work others in OpenStack
Security have recently discussed regarding the creation of a
The only potential security drawback is that we are introducing a new
asset to protect. If we create the tools that enable a deployer to
easily create and administer a lightweight CA, that should add
significant value to OpenStack, especially for smaller organizations
that don't have experience running a CA.
I'd be curious to hear what the more crypto/CA focused members of
OpenStack Security have to say as well.
>I've been researching some additional ways to secure openstack-ansible
>deployments and I backed myself into a corner with secure log
>transport. The rsyslog client requires a trusted CA certificate to be
>able to send encrypted logs to rsyslog servers. That's not a problem
>if users bring their own certificates, but it does become a problem if
>we use the self-signed certificates that we're creating within the
>I'm wondering if we could create a role that creates a CA on the
>deployment host and then uses that CA to issue certificates for various
>services *if* user doesn't specify that they want to bring their own
>certificates. We could build the CA very early in the installation
>process and then use it to sign certificates for each individual
>service. That would allow to have some additional trust in
>environments where deployers don't choose to bring their own
>Does this approach make sense?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5465 bytes
Desc: not available
More information about the OpenStack-dev