[Openstack-operators] Renewing keystone signing certs

Sam Morrison sorrison at gmail.com
Mon Jun 23 06:38:34 UTC 2014


OK this is looking really scary, (unless I’m missing something…..)

In havana and icehouse, services will only download the signing cert if it doesn’t exist. So if you replace it on the keystone server it will continue to use the existing cert.

Ideally you should be able to push out both the current and the new signing cert to all hosts. Then replace the signing cert in keystone that way old and new tokens will work with no downtime

I’m starting to think with the current way keystone does this it’s going to mean a cloud wide outage to replace the signing certs?



On 23 Jun 2014, at 3:28 pm, Sam Morrison <sorrison at gmail.com> wrote:

> Our signing certificate is due to expire in a couple of weeks.
> 
> I’m trying to figure out the best way to replace it with a new one.
> 
> I have the new one signed by the same CA but I’m a little unsure of the workflow to replace it. If I swap out the old and new ones will old tokens no longer be valid?
> 
> Anyone else done this and have thoughts?
> 
> Cheers,
> Sam
> 
> 




More information about the OpenStack-operators mailing list