[security] Auto-renewing trusted user certificates for Openstack services using the ACME protocol

Stanislav Dimov slav.vdimov at gmail.com
Sun Dec 6 23:34:13 UTC 2020

Hello all,

I have recently started exploring Openstack with the goal of using it to
replace my current private cloud infrastructure.

I have been reading the docs about security and I noticed that there isn't
really a (straight forward) way of securing Openstack services
communication with user provided, trusted, SSL certificates.

I believe this should not be the case.

My current infrastructure uses a privately hosted CA, that supports the
ACME protocol. All my hosts submit CSRs to it, and respond to the ACME
challenges in order to get it signed. All certificates are short-lived
(1h), but never expire thanks to the ACME automation.

I have achieved this through an open source project called Smallstep Step
CA and Smallstep Step CLI tools. It is dead easy to set up. All of the
tools needed to achieve this can also be containerized, for simplicity.

Thus, I propose the following solution (keep in mind I am not an Openstack

Addition of an ACME client, with a configurable ACME URL, to all (or as
many as possible) Openstack services, that can submit CSRs to an ACME
server (basically almost identical to the already implemented Openstack
Let's Encrypt functionality for public endpoints).

Also, optionally, the creation of a new Openstack service, using the
Smallstep Step CA, which can sign the CSRs, and thus eliminate the need for
a manual setup of a separate Smallstep CA host.

I am providing some links to the Smallstep repositories and documentation
for easier access:

Thank you for your time and consideration.

Kind regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201206/96f53562/attachment-0001.html>

More information about the openstack-discuss mailing list