Hi, I am learning to configure keystone for tokenless ssl x509 authorization, according to the document: http://docs.openstack.org/developer/keystone/configure_tokenless_x509.html. when making self-signed certificate with command openssl, I don't know how to define issuer DN and subject DN for ssl x509. Is it right as the following? For example , If using tokenless authorization between nova service and keystone, i define issuer DN like the following: E=schmitt at openstack.com CN=schmitt OU=keystone O=openstack L=Sunnyvale S=California C=US and define subject DN like the following: E=nova at openstack.com CN=nova #nova user defined in the configuration item [keystone_authtoken]file“/etc/nova/nova.conf” OU=default O=defalult L=Sunnyvale S=California C=US Also,is there something special between subject DN and openstack service? Thanks & Regards, schmitt -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160704/1595862a/attachment.html>