openstack/keystone
Code Issues Proposed changes

Merge "Remove CA key password from cert setup"

Browse Source
This commit is contained in:
Jenkins 2013-09-12 15:37:53 +00:00 committed by Gerrit Code Review
commit 208ed13b93
4 changed files with 3 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/configuration.rst
View File

@ -327,7 +327,6 @@ The values that specify where to read the certificates are under the
* ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
* ``key_size`` - Default is ``2048``
* ``valid_days`` - Default is ``3650``
* ``ca_password`` - Password required to read the ca_file. Default is None
Signing Certificate Issued by External CA
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -340,7 +339,7 @@ the following conditions:
* private key files must not be protected by a password
When using signing certificate issued by an external CA, you do not need to
specify ``key_size``, ``valid_days``, ``ca_key`` and ``ca_password`` as they
specify ``key_size``, ``valid_days`` and ``ca_key`` as they
will be ignored.
The basic workflow for using a signing certificate issed by an external CA involves:
@ -574,7 +573,6 @@ When generating SSL certificates the following values are read
* ``key_size``: Key size to create. Defaults to 1024.
* ``valid_days``: How long the certificate is valid for. Defaults to 3650 (10 years).
* ``ca_key``: The private key for the CA. Defaults to ``/etc/keystone/ssl/certs/cakey.pem``.
* ``ca_password``: The password for the CA private key. Defaults to None.
* ``cert_subject``: The subject to set in the certificate. Defaults to /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost. When setting the subject it is important to set CN to be the address of the server so client validation will succeed. This generally means having the subject be at least /CN=<keystone ip>
Generating SSL certificates

2
etc/keystone.conf.sample
View File

@ -245,7 +245,6 @@
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 1024
#valid_days = 3650
#ca_password = None
#cert_required = False
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
@ -260,7 +259,6 @@
#ca_key = /etc/keystone/pki/private/cakey.pem
#key_size = 2048
#valid_days = 3650
#ca_password = None
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
[ldap]

2
keystone/common/config.py
View File

@ -106,7 +106,6 @@ FILE_OPTIONS = {
cfg.BoolOpt('cert_required', default=False),
cfg.IntOpt('key_size', default=1024),
cfg.IntOpt('valid_days', default=3650),
cfg.StrOpt('ca_password', default=None),
cfg.StrOpt('cert_subject',
default='/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost')],
'signing': [
@ -121,7 +120,6 @@ FILE_OPTIONS = {
default="/etc/keystone/ssl/certs/cakey.pem"),
cfg.IntOpt('key_size', default=2048),
cfg.IntOpt('valid_days', default=3650),
cfg.StrOpt('ca_password', default=None),
cfg.StrOpt('cert_subject',
default=('/C=US/ST=Unset/L=Unset/O=Unset/'
'CN=www.example.com'))],

6
keystone/common/openssl.py
View File

@ -58,8 +58,7 @@ class BaseCertificateConfigure(object):
'signing_cert': conf_obj.certfile,
'key_size': int(conf_obj.key_size),
'valid_days': int(conf_obj.valid_days),
'cert_subject': conf_obj.cert_subject,
'ca_password': conf_obj.ca_password}
'cert_subject': conf_obj.cert_subject}
try:
# OpenSSL 1.0 and newer support default_md = default, olders do not
@ -133,7 +132,6 @@ class BaseCertificateConfigure(object):
group=self.use_keystone_group, log=LOG)
if not file_exists(ca_cert):
self.exec_command('openssl req -new -x509 -extensions v3_ca '
'-passin pass:%(ca_password)s '
'-key %(ca_private_key)s -out %(ca_cert)s '
'-days %(valid_days)d '
'-config %(ssl_config)s '
@ -165,7 +163,7 @@ class BaseCertificateConfigure(object):
user=self.use_keystone_user,
group=self.use_keystone_group, log=LOG)
if not file_exists(signing_cert):
self.exec_command('openssl req -key %(signing_key)s -new -nodes '
self.exec_command('openssl req -key %(signing_key)s -new '
'-out %(request_file)s -config %(ssl_config)s '
'-subj %(cert_subject)s')