[Openstack] Keystoner as Certificate Authority

Adam Young ayoung at redhat.com
Fri Sep 6 01:57:37 UTC 2013


We are working on FreeIPA integration. It comes with Dogtag integrated.

http://www.freeipa.org/page/Main_Page

http://pki.fedoraproject.org/wiki/PKI_Main_Page




On 09/05/2013 04:05 AM, Somanchi Trinath-B39208 wrote:
> Thanks a lot Jeff...
>
> Will go through this..
>
> --
> Trinath Somanchi - B39208
> trinath.somanchi at freescale.com | extn: 4048
>
>
> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader at gmail.com]
> Sent: Thursday, September 05, 2013 12:51 PM
> To: Somanchi Trinath-B39208
> Cc: openstack at lists.openstack.org
> Subject: Re: [Openstack] Keystoner as Certificate Authority
>
> On Thu, Sep 5, 2013 at 2:41 AM, Somanchi Trinath-B39208 <B39208 at freescale.com> wrote:
>> Can you suggest me on any CA service work going on with Openstack.
> The Security Guide discusses it a bit,
> http://www.openstack.org/blog/2013/07/openstack-security-guide-now-available/.
>
>  From page 73.0 / 300: "It is recommended that the OpenStack cloud architect rely on distinct sets of CAs -- one or more for the management network and internal service communications, and the trusted set of public CA providers for allowing external users to verify the identity of the public cloud endpoints. Configuring the internal service communications to only rely on an internal CA can help reduce the risk of accidental authentication of users with valid certificates issued by public CAs from being trusted by the internal services."
>
> Don't let the "trusted set of public CA" fool you. Trust is a bit misleading here - its more like the preloaded set of CAs and sub-CAs in your browsers [loosely] operating under the Internet profile (PKIX). Anything from Digicert, Verisgn, etc will do.
>
> Also look at the case study on page 80.0 / 300, where a brief Case Study is performed for both a public cloud and private cloud.
>
> There's a lot to running a PKI for the internal network. The Security Guide presupposes a PKI is available, and there's someone (or a team) actively managing it. In this case, Google is your friend:
> https://www.google.com/#q=certification+authority+best+practice.
>
> If you want a free SSL/TLS certificate trusted by many (most?) browsers for external users, then check out Eddy Nigg's StartCom.
> (Most of the cost is in revocation, so that's where StartCom charges for its services. Brilliant!).
>
> Jeff
>
>> -----Original Message-----
>> From: Jeffrey Walton [mailto:noloader at gmail.com]
>> Sent: Thursday, September 05, 2013 10:37 AM
>> To: Somanchi Trinath-B39208
>> Cc: openstack at lists.openstack.org
>> Subject: Re: [Openstack] Keystoner as Certificate Authority
>>
>> On Thu, Sep 5, 2013 at 12:40 AM, Somanchi Trinath-B39208 <B39208 at freescale.com> wrote:
>>> Can we use Keystone as Certificate Authority. Kindly help me in
>> I can't answer if it can be used to issue certs, but I can tell you it should not be. That portion of the infrastructure needs to be segregated with a well defined security zone or boundary.
>>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list