[openstack-dev] [Neutron][LBaaS]LBaaS 2nd Session etherpad

Carlos Garza carlos.garza at rackspace.com
Wed May 21 16:46:32 UTC 2014


   I'm crc32 on free node.  My TimeZone is U.S. CST (UTC-5).
Let me know when we can clear this up. I need to know what the intent was for with the Trusted certificates before we can decide what fields were needed for it.



On May 21, 2014, at 9:14 AM, Samuel Bercovici <SamuelB at Radware.com<mailto:SamuelB at Radware.com>> wrote:

Hi Carlos,

What is your IRC nick?
In what time zone you are located?

Regards,
                -Sam.






From: Carlos Garza [mailto:carlos.garza at rackspace.com<http://rackspace.com>]
Sent: Wednesday, May 21, 2014 2:52 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Neutron][LBaaS]LBaaS 2nd Session etherpad

    I'm reading through the https://wiki.openstack.org/wiki/Neutron/LBaaS/SSL docs as well as the https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7
document that your referencing below and I think who ever wrote the documents may have misunder stood the Association between X509 certificates and Private and public Keys.
I think we should clean those up and unambiguously declare that.

A certificate shall be defined as a PEM encoded X509 certificate.
For example

Certificate:
-----BEGIN CERTIFICATE-----
   blah blah blah base64 stuff goes here
-----END CERTIFICATE-----

A private key shall be a PEM encoded private key that may or may not necessarily be an RSA key. For example it could be
a curve key but most likely it will be RSA



a public-key shall mean an actual Pem encoded public key and not the x509 certificate that contains it. example
-----BEGIN PUBLIC KEY-----
    bah blah blah base64 stuff goes here
-----END PUBLIC KEY-----

A Private key shall mean a PEM encoded private key.
Example
-----BEGIN RSA PRIVATE KEY-----
    blah blah blah base64 goes here.
-----END RSA PRIVATE KEY-----

Also the same key could be encoded as pkcs8

-----BEGIN PRIVATE KEY-----
    base64 stuff here
-----END PRIVATE KEY-----

I would think that we should allow for PKCS8 so that users are not restricted to PKCS1 RSA keys via "BEGIN PRIVATE KEY". I'm ok with forcing the user to not use PKCS8 to send both
the certificate and key.

There seems to be confusion in the neutron-lbaas-ssl-i7 ether pad doc as well as the doc at URL https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7
The confusion being that the term public key and certificate are being used interchangeably.

For example in the wiki page?
under Resource change:
SSL certidficate(new) declares

certificate_chain : list of PEM-formatted public keys, not mandatory
This should be changed to
certificate_chain: list of PEM-formatted x509 certificates, not mandatory

Also in the CLI portion of the doc their are entries like
neutron ssl-certificate-create --public-key CERTIFICATE-FILE <--private-key PRIVATE-KEY-FILE> <--passphrase PASSPHRASE> <--cert-chain INTERMEDIATE-KEY-FILE-1, INTERMEDIATE-KEY-FILE-2> certificate name
The option --public-key should be changed to --cert since it specifies the X509. Also the names INTERMEDIATE-KEY-FILE-1 etc should be changed to INTERMEDIATE-CERT-FILE-1 since these are x509s and not certs.


The below line mass no sense to me.
neutron ssl-trusted-certificate-create --key PUBLIC-KEY-FILE key name

Are you truing to give the certificate a name? We also will never need to work with public keys in general as the public key can be extracted from the x509 or the private key file.
Or was the intent to use ssl-trusted-certificates to specify the private keys that the Loadbalancer will use when communicating with back end servers that are doing client auth?

the rational portion of the doc is declaring that trusted certificates are for back end encryption but don't mention if this is for client auth either. Was the intent to use a specific key for the SSL session between the load balancer and the back end server or was the intention to advertise the client vert to the backend server so the the back end server can authenticate with what ever CA it(the server) trusts.

in either case both the private key and the certificate or chain should be used in this configuration since the loadbalancer needs the private key during the SSL session.
the command should look something alone the lines of
neutron ssl-trusted-certificate-create --key PRIVATE_KEY_FILE --cert CERTIFICATE-file.


    I would like to help out with this but I need to know the intent of the person that initially interchanged the terms key and certificate, and its much better to fix this sooner then later.


On May 15, 2014, at 10:58 PM, Samuel Bercovici <SamuelB at Radware.com<mailto:SamuelB at Radware.com>> wrote:

Hi Everyone,

https://etherpad.openstack.org/p/neutron-lbaas-ssl-l7

Feel free to modify and update, please make sure you use your name so we will know who have added the modification.

Regards,
                -Sam.

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140521/04841ffb/attachment.html>


More information about the OpenStack-dev mailing list