Open Stack

Hi all,

being on Openstack Icehouse 2014.1.3 I am trying to exchange the default token signing certificate (the one generated during installation of the .deb package) with one signed by our CA. I followed http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html for certificate creation and signed the request with our (intermediate) CA cert. I am pretty sure the certificate is okay - I can sign and verify stuff using openssl:

$ sudo openssl cms -sign  -inkey private/signing_key.pem -nosmimecap -nodetach -nocerts -noattr -signer certs/signing_cert.pem -out /tmp/test_token
test9876
$ sudo openssl cms -verify -certfile certs/signing_cert.pem -CAfile certs/ca.pem  -nosmimecap -nodetach -nocerts -noattr < /tmp/test_token
test9876
Verification successful	

However, when I deploy the new ca.pem, signing_cert.pem and signing_key.pem to keystone, everything except keystone breaks.

$ keystone user-list
+----------------------------------+------------------+---------+---------------------------------+
|                id                |       name       | enabled |              email              |
+----------------------------------+------------------+---------+---------------------------------+
| befedd5af2bf49158a326dce5650bdbe |      admin       |   True  |   cloud-alerts at example.com   |
…

$ glance image-list
Request returned failure status.
Invalid OpenStack Identity credentials.

glance/api.log:
2015-04-21 13:58:22.270 9193 WARNING keystoneclient.middleware.auth_token [-] Verify error: Command 'openssl' returned non-zero exit status 4
2015-04-21 13:58:22.271 9193 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token

I have no problem using same credentials and the certs generated during installation.
I am feeling like I am missing something obvious, but I can´t figure out what. Any help is appreciated.

Best regards,
Daniel