Open Stack

Although SSL in Python is slow, we really should enable it in devstack 
from here on out.  My understanding is that people with live deployments 
front Keystone with some other SSL terminator.  We should thus plan on 
running the python-keystoneclient code through SSL by default to make 
sure all SSL issues are shaken out.

If you run keystone-manage --pki_setup  it generates a CA certificate 
for you.  This is done by default in devstack, in order to get pki 
tokens to work.  However, there are no SSL certifcates provided.  The 
config documentation  states: "a set of sample certficates is provided 
in the examples/ssl directory with the Keystone distribution for 
testing."  However, it uses a different CA than the one in the 
test/signing, so there is no one set of certificates we can provide.

I think I would like to add an additional option to the keystone-manage 
CLI: --ssl_setup. What I would like to do is gather what the 
requirements for this should be.  To start:

1. If no CA is in the path indicated by the config file, generate a self 
signed one.  The assumption is that this code will be common between pki 
and ssl setup.
2. Use the CA from the above path to sign the ssl certificate.

I am assuming that most organizations large enough to have Open Stack 
have their own Public Key Infrastructure.  Thus, the self signed CA and 
SSL cert should not be the norm.  WHat I am wondering is if there is 
anything we should be doing.  For those cases.  There is no standard for 
remotely submitting a Certificate Signing Request (CSR) and getting back 
a signed certificate.  We can generate a csr based on the hostname of 
the machine, and that way we know that the certificate is formatted for 
SSL, but is it really better to write a tool to do this (it is goingto 
be done once very year or there about) or just point the users at decent 
documentation about how to do it themselves?