Open Stack

Hi,

Tomasz is right. Let's try not to complicate the things. For 6.0 we'll
allow just upload key, csr, certificate (like 3 edit boxes), or these edit
boxes will be greyed if customer allows to generate self-signed
certificates.



--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser

On Wed, Sep 10, 2014 at 1:40 PM, Tomasz Napierala <tnapierala at mirantis.com>
wrote:

>
> On 10 Sep 2014, at 12:54, Simon Pasquier <spasquier at mirantis.com> wrote:
>
> > Hello,
> >
> > Lets back up a bit and list the different options for Fuel users:
> > 0/ The user is happy with plain HTTP.
> > => Already supported :)
> > 1/ The user wants HTTPS but doesn't want the burden associated with
> certificate management.
> > => Fuel creates and manages the SSL certificates, be them self-signed or
> signed by some internal CA.
> > => Using an internal CA instead of multiple self-signed certificates is
> cleaner as you explained.
> > 2/ The user wants HTTPS and wants to use certificates which are
> generated by an external source (either some internal corporate PKI or some
> public certificate authority)
> > => Fuel supports certificate + key uploads
> > => It should be possible to tell Fuel which entity (Fuel, OSt
> environment) uses which certificate
> > 3/ The user wants HTTPS and agrees to let Fuel generating certificates
> on behalf of some corporate PKI.
> > => Fuel supports CA + key uploads
> >
> > I think that option 1 is the way to go for a first approach. Option 2 is
> definitely something that end-users would need at some point. I'm less
> convinced by option 3: if I were a PKI admin, I'll be reluctant to let Fuel
> generate certificates on its own. Also my gut feeling tells me that
> implementing 1 & 2 is already quite a lot of work.
> >
> > I've also added some questions/comments inline.
>
> Regarding
> After careful consideration, I think that for 6.0 we will only be able to
> implement [2] with limited functionality. In terms of certificate
> management, we could offer uploading customer generated cert (and maybe
> provide shot doc on how to spawn CA + sign certs) or if user does not want
> to do it, generate simple self signed cert and install it on Fuel http
> server and let user download it.
>
> After 6.0 we can concentrate on proper implementation of CA management,
> and then allow Fuel master node part to use it.
>
> [1] https://blueprints.launchpad.net/fuel/+spec/ca-deployment
> [2] https://blueprints.launchpad.net/fuel/+spec/fuel-ssl-endpoints
> [3] https://blueprints.launchpad.net/fuel/+spec/ssl-endpoints
> --
> Tomasz 'Zen' Napierala
> Sr. OpenStack Engineer
> tnapierala at mirantis.com
>
>
>
>
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140910/c8579dfa/attachment.html>