Open Stack

On 29/10/2015 21:43, "Major Hayden" <major at mhtx.net> wrote:



>On 10/29/2015 04:33 AM, McPeak, Travis wrote:
>> The only potential security drawback is that we are introducing a new
>> asset to protect.  If we create the tools that enable a deployer to
>> easily create and administer a lightweight CA, that should add
>> significant value to OpenStack, especially for smaller organizations
>> that don't have experience running a CA.
>
>This is certainly true.  However, I'd like to solve for the use of self-signed SSL certificates in openstack-ansible first.
>
>At the moment, each self-signed certificate for various services is generated within each role.  The goal would be to make a CA at the beginning and then allow roles to utilize another role/task to issue certificates from that CA.  The CA would most likely be located on the deployment host.
>
>Deployers who are very security conscious can provide keys, certificates, and CA certificates in the deployment configuration and those will be used instead of generating self-signed certificates.
>
>--
>Major Hayden

It sounds like what you probably need is a lightweight CA, without revocation, that gives you some basic constraints by which you can restrict certificate issuance to just your ansible tasks and that could potentially be thrown away when it’s no longer required. Particularly something light enough that it could live on any deployment/installer node.

This sounds like it _might_ be a good fit for Anchor[1], though possibly not if I’ve misunderstood your use-case.

[1] https://wiki.openstack.org/wiki/Security#Anchor_-_Ephemeral_PKI

Cheers
-Rob