[Openstack-security] Certmonger
Adam Young
ayoung at redhat.com
Tue Oct 29 19:16:18 UTC 2013
On 10/29/2013 02:23 PM, Bryan D. Payne wrote:
> > Certmonger is supported on both RHEL and Debian based systems, and
> is easily
> > portable to others. What is essential is identification of what
> additional Certificate
> > Authority protocols it needs to support.
>
> Sorry, I was referring to OpenStack distros, not Linux distros.
> Basically I think that everyone has slightly different tooling around
> how they handle HTTPS termination (stud, pound, Apache, etc) and each
> of these would have slightly different needs for orchestration of the
> certs and such. Traditionally, this has been done outside of the
> OpenStack projects and has been more distro specific. But, perhaps we
> are approaching the time for some of that to be more fully integrated
> into the OpenStack projects themselves. Certainly a conversation
> worth having.
Even the SSL Termination tools do not typically handle Certificates,
just punt to some other tooling. I was thinking Devstack as a starting
point, though, for TLS.
Thereare a handful of PKI uses inside of openstack that would be better
served by X509, such as the SSH to the VMs...raw public keys have no
expiry or revocation. Any encryption that we are doing inside of OS at
the application level, as I pointed out before, should also be using
X509. AMQP traffic, traffic between App server and database, and LDAP
should all be passed over TLS, and this is indie the datacenter, so
hardware termination is usually not appropriate.
We need an approach for SSL everywhere: it is one of the issues rasied
in the security guide. Thus, the default deployment needs to show how
to set that up.
>
> Cheers,
> -bryan
More information about the Openstack-security
mailing list