Merge "Discourage use of pki_setup"

2014-04-22 19:35:55 +00:00 · 2014-04-22 19:35:55 +00:00 · c2679140e2
commit c2679140e2
parent eb8fafe2f8 2974ef3ccb
1 changed files with 9 additions and 0 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -345,6 +345,15 @@ token generation requires a public/private key pair.  The public key must be
 signed in an X509 certificate, and the certificate used to sign it must be
 available as Certificate Authority (CA) certificate.  These files can be
 generated either using the keystone-manage utility, or externally generated.
+
+Use of ``keystone-manage``'s ``pki_setup`` command is discouraged in favor
+of using an external CA. This is because the CA secret key should generally
+be kept apart from the token signing secret keys so that a compromise of
+a node does not lead to an attacker being able to generate valid signed
+Keystone tokens. This is a low probability attack vector, as compromise of
+a Keystone service machine's filesystem security almost certainly means the
+attacker will be able to gain direct access to the token backend.
+
 The files need to be in the locations specified by the top level Keystone
 configuration file as specified in the above section.  Additionally, the
 private key should only be readable by the system user that will run Keystone.