[Openstack] Renewing keystone signing certs

Adam Young ayoung at redhat.com
Sun Jun 29 00:15:44 UTC 2014


On 06/25/2014 07:57 AM, Sam Morrison wrote:
> On 25 Jun 2014, at 9:05 am, Adam Young <ayoung at redhat.com> wrote:
>
>> On 06/23/2014 07:37 PM, Sam Morrison wrote:
>>> Hi Adam,
>>>
>>> Thanks for the advice, I’ve tested it out and it is possible to switch over pretty seamlessly.
>>>
>>> Here is what I did (spelt out in full for others reading):
>>>
>>> 1. Generate a new signing key
>>> 2. Generate a new certificate request
>>> 3. Sign this with the existing CA to generate a new signing_cert.
>>> 4. Append the new signing cert to the old signing cert. Make sure the old cert is first in the file.
>>> 5. Remove all signing certs from all your hosts to force nova etc to download the new signing_cert(s)
>>> 6. Replace the signing key with the new signing key AND at the same time flip the signing_cert file so the new signing cert is now first in the file.
>>>
>>> After the old cert has expired you can safely remove the old signing cert from the file.
>>>
>>> It would be great if keystoneclient could have a max_age on the signing_cert so it would periodically download a fresh one. I would think if it downloaded a new one every 7 days or so would suffice.
>> Even better would be for it to look at the expiration date of the certificate and look for a fresh download if we are close to expired.    Tweakable params would be how often to check, and how big a window to consider for a download.
> Yeah that would be great. I’m starting to think signing_cert should be split into two functions. The signing cert on the keystone server that is used by keystone to sign tokens.
> Then a signing trusts file which is what all the openstack services download.
>
> Then you can add all the certs you’re using for signing. Would support having different signing keys if you’re using multiple keystone servers. Plus easier to support renewing keys.
> Of course this is all possible now except you just need to get your ordering right as when keystone is signing it uses the first cert in the file.
Signing is done using the specified key, not the cert.  Since we strip 
the cert out of the signed document (token) there is no need to specify 
which cert to use.


>
> Sam
>





More information about the Openstack mailing list