[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

Major Hayden major at mhtx.net
Mon Oct 26 18:38:23 UTC 2015

Hello there,

I've been researching some additional ways to secure openstack-ansible deployments and I backed myself into a corner with secure log transport.  The rsyslog client requires a trusted CA certificate to be able to send encrypted logs to rsyslog servers.  That's not a problem if users bring their own certificates, but it does become a problem if we use the self-signed certificates that we're creating within the various roles.

I'm wondering if we could create a role that creates a CA on the deployment host and then uses that CA to issue certificates for various services *if* a user doesn't specify that they want to bring their own certificates.  We could build the CA very early in the installation process and then use it to sign certificates for each individual service.  That would allow to have some additional trust in environments where deployers don't choose to bring their own certificates.

Does this approach make sense?

Major Hayden

More information about the OpenStack-dev mailing list