[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

McPeak, Travis travis.mcpeak at hpe.com
Thu Oct 29 09:33:32 UTC 2015


This does seem to make a lot of sense.  Basically what we will get is
an improved lowest common denominator when it comes to intra-node TLS.
This probably also fits in nicely with work others in OpenStack
Security have recently discussed regarding the creation of a
super-lightweight CA.

The only potential security drawback is that we are introducing a new
asset to protect.  If we create the tools that enable a deployer to
easily create and administer a lightweight CA, that should add
significant value to OpenStack, especially for smaller organizations
that don't have experience running a CA.

I'd be curious to hear what the more crypto/CA focused members of
OpenStack Security have to say as well.

Thanks,
-Travis


>Hello there,
>
>I've been researching some additional ways to secure openstack-ansible
>deployments and I backed myself into a corner with secure log
>transport.  The rsyslog client requires a trusted CA certificate to be
>able to send encrypted logs to rsyslog servers.  That's not a problem
>if users bring their own certificates, but it does become a problem if
>we use the self-signed certificates that we're creating within the
>various roles.
>
>I'm wondering if we could create a role that creates a CA on the
>deployment host and then uses that CA to issue certificates for various
>services *if* user doesn't specify that they want to bring their own
>certificates.  We could build the CA very early in the installation
>process and then use it to sign certificates for each individual
>service.  That would allow to have some additional trust in
>environments where deployers don't choose to bring their own
>certificates.
>
>Does this approach make sense?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5465 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151029/c4c4cd31/attachment.bin>


More information about the OpenStack-dev mailing list