[Openstack] Keystoner as Certificate Authority

Jeffrey Walton noloader at gmail.com
Thu Sep 5 07:20:42 UTC 2013 

On Thu, Sep 5, 2013 at 2:41 AM, Somanchi Trinath-B39208
<B39208 at freescale.com> wrote:
>
> Can you suggest me on any CA service work going on with Openstack.
The Security Guide discusses it a bit,
http://www.openstack.org/blog/2013/07/openstack-security-guide-now-available/.

>From page 73.0 / 300: "It is recommended that the OpenStack cloud
architect rely on distinct sets of CAs -- one or more for the
management network and internal service communications, and the
trusted set of public CA providers for allowing external users to
verify the identity of the public cloud endpoints. Configuring the
internal service communications to only rely on an internal CA can
help reduce the risk of accidental authentication of users with valid
certificates issued by public CAs from being trusted by the internal
services."

Don't let the "trusted set of public CA" fool you. Trust is a bit
misleading here - its more like the preloaded set of CAs and sub-CAs
in your browsers [loosely] operating under the Internet profile
(PKIX). Anything from Digicert, Verisgn, etc will do.

Also look at the case study on page 80.0 / 300, where a brief Case
Study is performed for both a public cloud and private cloud.

There's a lot to running a PKI for the internal network. The Security
Guide presupposes a PKI is available, and there's someone (or a team)
actively managing it. In this case, Google is your friend:
https://www.google.com/#q=certification+authority+best+practice.

If you want a free SSL/TLS certificate trusted by many (most?)
browsers for external users, then check out Eddy Nigg's StartCom.
(Most of the cost is in revocation, so that's where StartCom charges
for its services. Brilliant!).

Jeff

> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader at gmail.com]
> Sent: Thursday, September 05, 2013 10:37 AM
> To: Somanchi Trinath-B39208
> Cc: openstack at lists.openstack.org
> Subject: Re: [Openstack] Keystoner as Certificate Authority
>
> On Thu, Sep 5, 2013 at 12:40 AM, Somanchi Trinath-B39208 <B39208 at freescale.com> wrote:
>>
>> Can we use Keystone as Certificate Authority. Kindly help me in
> I can't answer if it can be used to issue certs, but I can tell you it should not be. That portion of the infrastructure needs to be segregated with a well defined security zone or boundary.
>

More information about the Openstack mailing list