[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

Major Hayden major at mhtx.net
Thu Oct 29 12:43:44 UTC 2015

On 10/29/2015 04:33 AM, McPeak, Travis wrote:
> The only potential security drawback is that we are introducing a new
> asset to protect.  If we create the tools that enable a deployer to
> easily create and administer a lightweight CA, that should add
> significant value to OpenStack, especially for smaller organizations
> that don't have experience running a CA.

This is certainly true.  However, I'd like to solve for the use of self-signed SSL certificates in openstack-ansible first.

At the moment, each self-signed certificate for various services is generated within each role.  The goal would be to make a CA at the beginning and then allow roles to utilize another role/task to issue certificates from that CA.  The CA would most likely be located on the deployment host.

Deployers who are very security conscious can provide keys, certificates, and CA certificates in the deployment configuration and those will be used instead of generating self-signed certificates.

Major Hayden

More information about the OpenStack-dev mailing list