[Openstack] Keystoner as Certificate Authority

Somanchi Trinath-B39208 B39208 at freescale.com
Thu Sep 5 08:05:51 UTC 2013


Thanks a lot Jeff...

Will go through this..

--
Trinath Somanchi - B39208
trinath.somanchi at freescale.com | extn: 4048


-----Original Message-----
From: Jeffrey Walton [mailto:noloader at gmail.com] 
Sent: Thursday, September 05, 2013 12:51 PM
To: Somanchi Trinath-B39208
Cc: openstack at lists.openstack.org
Subject: Re: [Openstack] Keystoner as Certificate Authority

On Thu, Sep 5, 2013 at 2:41 AM, Somanchi Trinath-B39208 <B39208 at freescale.com> wrote:
>
> Can you suggest me on any CA service work going on with Openstack.
The Security Guide discusses it a bit,
http://www.openstack.org/blog/2013/07/openstack-security-guide-now-available/.

From page 73.0 / 300: "It is recommended that the OpenStack cloud architect rely on distinct sets of CAs -- one or more for the management network and internal service communications, and the trusted set of public CA providers for allowing external users to verify the identity of the public cloud endpoints. Configuring the internal service communications to only rely on an internal CA can help reduce the risk of accidental authentication of users with valid certificates issued by public CAs from being trusted by the internal services."

Don't let the "trusted set of public CA" fool you. Trust is a bit misleading here - its more like the preloaded set of CAs and sub-CAs in your browsers [loosely] operating under the Internet profile (PKIX). Anything from Digicert, Verisgn, etc will do.

Also look at the case study on page 80.0 / 300, where a brief Case Study is performed for both a public cloud and private cloud.

There's a lot to running a PKI for the internal network. The Security Guide presupposes a PKI is available, and there's someone (or a team) actively managing it. In this case, Google is your friend:
https://www.google.com/#q=certification+authority+best+practice.

If you want a free SSL/TLS certificate trusted by many (most?) browsers for external users, then check out Eddy Nigg's StartCom.
(Most of the cost is in revocation, so that's where StartCom charges for its services. Brilliant!).

Jeff

> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader at gmail.com]
> Sent: Thursday, September 05, 2013 10:37 AM
> To: Somanchi Trinath-B39208
> Cc: openstack at lists.openstack.org
> Subject: Re: [Openstack] Keystoner as Certificate Authority
>
> On Thu, Sep 5, 2013 at 12:40 AM, Somanchi Trinath-B39208 <B39208 at freescale.com> wrote:
>>
>> Can we use Keystone as Certificate Authority. Kindly help me in
> I can't answer if it can be used to issue certs, but I can tell you it should not be. That portion of the infrastructure needs to be segregated with a well defined security zone or boundary.
>



More information about the Openstack mailing list