Support for ADCS and EJBCA would make sense. I wasn’t aware of the Chef-SSL project, quite interesting. In my experience the hard part with CA operations is actually the Registration Authority, ensuring that the requesting party has a right to the certificate is one of the main roles of the RA and with client-side generation (without out-of-band attestation) you quickly run into a chicken and egg type problem. A long time ago I wrote half of a very light weight restful CA with a very simple API and delegated certificate issuing (So you could grant permissions to create certificates on certain sub domains) - I keep threatening to turn it into something real. I’m not convinced that any of the platforms out there meet the needs we have very well. I should look more closely at Certmonger, maybe this will fit the bill! From: Bryan Payne <bdpayne at acm.org<mailto:bdpayne at acm.org>> Date: Tuesday, 29 October 2013 19:20 To: "ayoung at redhat.com<mailto:ayoung at redhat.com>" <ayoung at redhat.com<mailto:ayoung at redhat.com>> Cc: "openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>" <openstack-security at lists.openstack.org<mailto:openstack-security at lists.openstack.org>> Subject: Re: [Openstack-security] Certmonger We need an approach for SSL everywhere: it is one of the issues rasied in the security guide. Thus, the default deployment needs to show how to set that up. Makes sense to me. -bryan