Use dual intermediate CAs for devstack

This patch updates the devstack plugin to use a dual Certificate
Authority (CA) with intermediate CAs for the Octavia controller
deployment.
This is a more realistic deployment model for testing.
Note: This change uses weak security to save gate resources. Please
refer to the Octavia Certificate Configuration Guide for production
instructions.

Change-Id: I3ec135766c9a1ddb7ac6655c0ee1ccb1e78ead5c

bin/create_certificates.sh

@@ -1,103 +0,0 @@
-#!/bin/bash
-
-# NOTE: This script should not be used for creating certificates in a
-# deployment. It is only used for some testing jobs.
-# Please follow the Octavia Certificate Configuration Guide when setting
-# up a deployment. See:
-# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
-
-# USAGE: <certificate directory> <openssl.cnf (example in etc/certificate)
-#Those are certificates for testing will be generated
-#
-#* ca_01.pem is a certificate authority file
-#* server.pem combines a key and a cert from this certificate authority
-#* client.key the client key
-#* client.pem the client certificate
-#
-#You will need to copy them to places the agent_api server/client can find and
-#specify it in the config.
-#
-#Example for client use:
-#
-#curl -k -v --key client.key --cacert ca_01.pem --cert client.pem https://0.0.0.0:9443/
-#
-#
-#Notes:
-#For production use the ca issuing the client certificate and the ca issuing the server cetrificate
-#need to be different so a hacker can't just use the server certificate from a compromised amphora
-#to control all the others.
-#
-#Sources:
-#* https://communities.bmc.com/community/bmcdn/bmc_atrium_and_foundation_technologies/
-#discovery/blog/2014/09/03/the-pulse-create-your-own-personal-ca-with-openssl
-#  This describes how to create a CA and sign requests
-#* https://www.digitalocean.com/community/tutorials/
-#openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs -
-#how to issue csr and much more
-
-## Create CA
-
-# Create directories
-CERT_DIR=$1
-OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf
-VALIDITY_DAYS=${3:-18250} # defaults to 50 years
-
-echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
-echo "Please use the Octavia Certificate Configuration guide:"
-echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
-echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-
-echo $CERT_DIR
-
-
-mkdir -p $CERT_DIR
-cd $CERT_DIR
-if [[ $? -ne 0 ]]; then
-    echo "Failed to change to $CERT_DIR. Check the existence and permission"
-    exit 1
-fi
-mkdir newcerts private
-if [[ $? -ne 0 ]]; then
-    echo "Failed to create directories. Check the permission"
-    exit 1
-fi
-chmod 700 private
-
-# prepare files
-touch index.txt
-echo 01 > serial
-
-
-echo "Create the CA's private and public keypair (2k long)"
-openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048
-
-echo "You will be asked to enter some information about the certificate."
-openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \
-        -config $OPEN_SSL_CONF \
-        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-        -days $VALIDITY_DAYS \
-        -out ca_01.pem
-
-
-echo "Here is the certificate"
-openssl x509 -in ca_01.pem -text -noout
-
-
-## Create Server/Client CSR
-echo "Generate a server key and a CSR"
-openssl req \
-       -newkey rsa:2048 -nodes -keyout client.key \
-       -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-       -out client.csr
-
-echo "Sign request"
-openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \
-           -days $VALIDITY_DAYS -out client-.pem -batch
-
-echo "Generate single pem client.pem"
-cat client-.pem client.key > client.pem
-
-echo "Note: For production use the ca issuing the client certificate and the ca issuing the server"
-echo "certificate need to be different so a hacker can't just use the server certificate from a"
-echo "compromised amphora to control all the others."
-echo "To use the certificates copy them to the directory specified in the octavia.conf"

bin/create_dual_intermediate_CA.sh

@@ -0,0 +1,161 @@
+#!/bin/bash
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+
+# This script produces weak security PKI to save resources in the test gates.
+# It should be modified to use stronger encryption (aes256), better pass
+# phrases, and longer keys (4096).
+# Please see the Octavia Certificate Configuration guide:
+# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
+
+set -x -e
+
+CA_PATH=dual_ca
+
+mkdir $CA_PATH
+chmod 700 $CA_PATH
+cd $CA_PATH
+
+mkdir -p etc/octavia/certs
+chmod 700 etc/octavia/certs
+
+###### Client Root CA
+mkdir client_ca
+cd client_ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Create the client CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 private/ca.key.pem
+
+# Create the client CA root certificate
+openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
+
+###### Client Intermediate CA
+mkdir intermediate_ca
+mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
+chmod 700 intermediate_ca/private
+touch intermediate_ca/index.txt
+echo 1000 > intermediate_ca/serial
+
+# Create the client intermediate CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 intermediate_ca/private/intermediate.ca.key.pem
+
+# Create the client intermediate CA certificate signing request
+openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
+
+# Create the client intermediate CA certificate
+openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Create the client CA certificate chain
+cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
+
+###### Create the client key and certificate
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 intermediate_ca/private/controller.key.pem
+
+# Create the client controller certificate signing request
+openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
+
+# Create the client controller certificate
+openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Build the cancatenated client cert and key
+openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
+
+cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
+
+# We are done with the client CA
+cd ..
+
+###### Stash the octavia default client CA cert files
+cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
+chmod 444 etc/octavia/certs/client_ca.cert.pem
+cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
+chmod 600 etc/octavia/certs/client.cert-and-key.pem
+
+###### Server Root CA
+mkdir server_ca
+cd server_ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Create the server CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 private/ca.key.pem
+
+# Create the server CA root certificate
+openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerRootCA" -passin pass:not-secure-passphrase
+
+###### Server Intermediate CA
+mkdir intermediate_ca
+mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
+chmod 700 intermediate_ca/private
+touch intermediate_ca/index.txt
+echo 1000 > intermediate_ca/serial
+
+# Create the server intermediate CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 intermediate_ca/private/intermediate.ca.key.pem
+
+# Create the server intermediate CA certificate signing request
+openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/server_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerIntermediateCA" -passin pass:not-secure-passphrase
+
+# Create the server intermediate CA certificate
+openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/server_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Create the server CA certificate chain
+cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
+
+# We are done with the server CA
+cd ..
+
+###### Stash the octavia default server CA cert files
+cp server_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca-chain.cert.pem
+chmod 444 etc/octavia/certs/server_ca-chain.cert.pem
+cp server_ca/intermediate_ca/certs/intermediate.cert.pem etc/octavia/certs/server_ca.cert.pem
+chmod 400 etc/octavia/certs/server_ca.cert.pem
+cp server_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
+chmod 400 etc/octavia/certs/server_ca.key.pem
+
+##### Validate the Octavia PKI files
+set +x
+echo "################# Verifying the Octavia files ###########################"
+openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
+openssl verify -CAfile etc/octavia/certs/server_ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

bin/create_single_CA_intermediate_CA.sh

@@ -0,0 +1,116 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Single CA mode is insecure, do not use this! It is for testing only."
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+
+# This script produces weak security PKI to save resources in the test gates.
+# A single CA should never be used in a production deployment. This script
+# exists purely to test legacy migrations / deployments where someone
+# acidently used a single CA.
+
+set -x -e
+
+CA_PATH=single_ca
+
+mkdir $CA_PATH
+chmod 700 $CA_PATH
+cd $CA_PATH
+
+mkdir -p etc/octavia/certs
+chmod 700 etc/octavia/certs
+
+###### Client Root CA
+mkdir client_ca
+cd client_ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+
+# Create the client CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 private/ca.key.pem
+
+# Create the client CA root certificate
+openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
+
+###### Client Intermediate CA
+mkdir intermediate_ca
+mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
+chmod 700 intermediate_ca/private
+touch intermediate_ca/index.txt
+echo 1000 > intermediate_ca/serial
+
+# Create the client intermediate CA private key
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 intermediate_ca/private/intermediate.ca.key.pem
+
+# Create the client intermediate CA certificate signing request
+openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
+
+# Create the client intermediate CA certificate
+openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Create the client CA certificate chain
+cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
+
+###### Create the client key and certificate
+# Note: This uses short key lengths to save entropy in the test gates.
+#       This is not recommended for deployment use!
+openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
+chmod 400 intermediate_ca/private/controller.key.pem
+
+# Create the client controller certificate signing request
+openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
+
+# Create the controller client certificate
+openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
+
+# Build the cancatenated client cert and key
+openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
+
+cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
+
+# We are done with the client CA
+cd ..
+
+###### Stash the octavia default cert files
+cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
+chmod 444 etc/octavia/certs/client_ca.cert.pem
+cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
+chmod 600 etc/octavia/certs/client.cert-and-key.pem
+cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
+chmod 444 etc/octavia/certs/server_ca.cert.pem
+cp client_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
+chmod 600 etc/octavia/certs/server_ca.key.pem
+
+##### Validate the Octavia PKI files
+set +x
+echo "################# Verifying the Octavia files ###########################"
+openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
+openssl verify -CAfile etc/octavia/certs/server_ca.cert.pem etc/octavia/certs/server_ca.cert.pem
+
+echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
+echo "Single CA mode is insecure, do not use this! It is for testing only."
+echo "Please use the Octavia Certificate Configuration guide:"
+echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
+echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

bin/openssl.cnf

@@ -0,0 +1,144 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = ./
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+# 10 years
+default_days      = 7300
+preserve          = no
+policy            = policy_strict
+
+[ CA_intermediate ]
+# Directory and file locations.
+dir               = ./intermediate_ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = ./private/ca.key.pem
+certificate       = ./certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+# 5 years
+default_days      = 3650
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = US
+stateOrProvinceName_default     = Oregon
+localityName_default            = Corvallis
+0.organizationName_default      = OpenStack
+organizationalUnitName_default  = Octavia
+emailAddress_default            =
+commonName_default              = example.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always

devstack/plugin.sh

@@ -335,14 +335,26 @@ function octavia_configure {
     if [[ "$(trueorfalse False OCTAVIA_USE_PREGENERATED_CERTS)" == "True" ]]; then
         cp -rfp ${OCTAVIA_PREGENERATED_CERTS_DIR} ${OCTAVIA_CERTS_DIR}
     else
-        source $OCTAVIA_DIR/bin/create_certificates.sh $OCTAVIA_CERTS_DIR $OCTAVIA_DIR/etc/certificates/openssl.cnf
+        pushd $OCTAVIA_DIR/bin
+        source create_dual_intermediate_CA.sh
+        mkdir -p ${OCTAVIA_CERTS_DIR}/private
+        chmod 700 ${OCTAVIA_CERTS_DIR}/private
+        cp -p etc/octavia/certs/server_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
+        cp -p etc/octavia/certs/server_ca-chain.cert.pem ${OCTAVIA_CERTS_DIR}/
+        cp -p etc/octavia/certs/server_ca.key.pem ${OCTAVIA_CERTS_DIR}/private/
+        cp -p etc/octavia/certs/client_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
+        cp -p etc/octavia/certs/client.cert-and-key.pem ${OCTAVIA_CERTS_DIR}/private/
+        popd
     fi
 
-    iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/client.pem
-    iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/ca_01.pem
-    iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/ca_01.pem
-    iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/cakey.pem
-    iniset $OCTAVIA_CONF certificates ca_private_key_passphrase foobar
+    iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/server_ca.cert.pem
+    iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/server_ca.key.pem
+    iniset $OCTAVIA_CONF certificates ca_private_key_passphrase not-secure-passphrase
+    iniset $OCTAVIA_CONF controller_worker client_ca ${OCTAVIA_CERTS_DIR}/client_ca.cert.pem
+    iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/private/client.cert-and-key.pem
+    iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/server_ca-chain.cert.pem
+
+    # Controller side symmetric encryption, not used for PKI
     iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
 
     if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then

devstack/pregenerated/certs/client.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTVy+pO8vjce/b
-QvCvyFiVOWWTSNfAcdtrEZU8kgH61jLtg1Omtz/x9LplQvC2U2lIlAiuLPWAUyTg
-mDEhdOP178h3doCJAlKfnWnwseWDVW/s3arnkgnRoRfkzEJpE4JCPHHi1OgiX7F0
-ySwxCnBcQvd30eF2g4/xogYgVePq+mVcg4l+MiCLRSpRCzTx9XcVe/zwbeQ0fVSO
-ivMKpvF/1mUrs++CFzGX9HFfZ9eAEdVDgi8PTjlJRQyojhopek6/lMivQi+fu+lD
-GPOmmujIrevfLJT+K6dgJ/y4GjwubvNgUecMU3DeiLZtbGohFwoX0+WU/BN5M49t
-54m3Zn4pAgMBAAECggEAZu5MwUDlYaZJauHkdci/FBa7WQueQRVzB2et5q06F6Ah
-d7qBkG4pz78g1VbQBA0F9xpaS/KLs29LQ7P8Ic5bhJm/aiemHJSsBx9UzKzoGpoP
-BC9GILjo3Vd3WrD9G04sH/Ruh0qosK0osbeVNWFfLiBThOEMzXrwLYB7OV57viJI
-4YAXGOzOgK3aMHF8cYRRgTDIi2dGAMH1EyIIB8gKYlp1PdMmaTOk2LBhechuImRX
-4LgvM1fUdJ7utyQKEXMJEg+wzV9BMlX6nvM3vVWdYZy2Hsu9DDyJUFYQk9cDpXNP
-RF4jjLUtz6gEZOlotOQgPWqLANJrt/BdVfyeA97psQKBgQD7SeNlQd2bu8GfH0vB
-mjzSWmJ3nDnpeaUR9MIYVQ6zNlvYPjM2BMVQtE5+VWK15YOjD5L9SoresNKubrSv
-wzNFeqf6Dvq7zJ+6Rkst7GcRV/P3D4C3ZeKeDNjVm4eMRCa5ttIJlLmfqffeLO9M
-RSanNjnjwWENgsXCCvlVBfc9ZQKBgQDXTY8X9ug9xVlqBR4TMfzXBadzP+nDqYd9
-MkH3tEltLba0vP4vKyjQa8A9FMzSRr9bv13mNpAbFEDGnhzv1l5OlHTM6tG//Rxq
-nnhmFLFWZl8WowP0LiPTafrDjGEX/7iDAJjAtSacBBm6EGaM8igWEQT0WXwsQbTw
-rlRolJ5DdQKBgQDgMBJ80x+IAiGC+iPXLOjYbqTsu2d7YfigJXJIzRHZV0Tnjs6X
-gfgbwVFKKplvWL1xa8Ki0a9FcBH2Z3QyXv9OHFjiohyWEb/rKy2FYiSt938Dy0P1
-2yMsCKAnKqPqwx6dj3qh65sT1Er8X7B6pjMO+TT6ehtBN4uBS9MYRMNIdQKBgQDU
-6UztTOzDUSqn7mGcZ916IYxDK1wXcsmapB2aQD4wanl4aEEREiQtX7DednhKJU5N
-A4RvCVweezvHbkp9Xscp/CM5FanQqxPz17yGbkYkg93au+BIE2y4P+CMioDlw6uK
-WQe14i5JMMDkQB25mirMD46PuQJTnbK6JBsyxG1xlQKBgGtcSY0AyVq00p0kkxNm
-KhzI+17T0j0CuczJ/X+NvCUjLsx3NTJatRkJNYHWG7jUqs1vvtZbHVspQeteMlEi
-rNE/xz98iG2eC8AdW+TmZvySmIZgoAoPuopUvBzRiyfLQVh4pPuikbTDghEn+CSG
-WSyOd/I4JsH4xQFJC89nnm5M
------END PRIVATE KEY-----

devstack/pregenerated/certs/private/cakey.pem

@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,F5D5CAF138266C5C
-
-X7mebmQYgOOgOLi5ec7+kxrDzP5PqD4A2b4dph1qEoVEcwKEcVicrPdDtLeHReO4
-W5WpyJxqUIIHZZWmvCy08tX151/BJYzmDbF5gGf0c2Q7V0Mnfvkn4G01apIxXMXB
-kD4NIL3UB+4D2xmWv7s+PK+T4uNsO9gotUoABc5s4sNDsl7Jbgozo14T8oZkGVot
-GrS1PpTes4GiIwmmlBzrtO+0Y0Yv5tzJrdkz047nXur+1n4YNj87Ui6R3O/crFmI
-cf+L8NefqihmW2qR1deTSozg1oMv3RaZdMsxNDYLcF+4o+18buAHCr//NU71eVIZ
-/P4XrIQQAyLi8u5W/5dFH9FEnNtBz0AJlBpLpKb7O3ZdQ18/UATbdaRrb4cqocEH
-PTEEUTWRf1/5DhT+AXryI3Op0yxEZlVQu/IbEAgiV3wvx5Cof75Hm0m0rtFdnNBc
-L2IA+3+75HGRt/zljh7ByGcui0dQA7i6thDc+qxz4WpcUx10Y9Dn2V5DueWunez+
-kjwRsahervPoaRRL+MuP43B1w4HPDCPOuTDO35TXivSFHz/mFGJ5GOy+iMPddFMa
-RYWlDGkruz4poQ1zXQ2d4Q6wXSFiihU78a/0af8IhjofqAxUA91bC6oBF6OYGXZT
-9cKfK1TUPVQITH2VLcJLxRf+Q4Zgc7gYJqEnh8dJ0lpMAgSkgyQDE0p0ttakj0Xv
-ombZq+7SDSUYnItcPARLe2FWhsihZfu7W6f9fWQcXAv7dYG/opB5yquXaE+96eCO
-1eGc0VttBauW+r87fAJtfm3XgwfrrGwDglcmo5JmaBWRSkxdLn6xPP1pAfGj2jQQ
-EhWhIcbFgnGPhPSWpYMpeE8RdgO0R7Hno10scF5j/t3JPE5pfBOAGmyBsOdWW4TT
-UfICuZ6UznNYtaWcXSrUNXETMFjrDaHoXZ50bG1FMZKA1YCz6QnoE4w42nBTVLj9
-90K+h3mVLqD/5qA8UYZYUuKn+e7w3xY4dRLAXExfB/33kb3A3jjjHYqVTpFXV6Of
-0EAa/BDeGpkWElTmIgjN7VN+1rUDXgLMJ62M/fEkICTM1tSYLKFUdntGQ3YfzYX6
-LHB5BWsrlPFc2a8OXUCu5tvtm387W8X80eMb97e0A501q5P2Wxv/XcuPgVlx5JQP
-37nqFDEtqGJoOE1LC5xZVzisNk7QVh6r0N3tGVeyE/bE0nvOYr/Zw8SVmwqNr8/I
-jQspeH48uAudQ/lZ8aFUFpj7bm2Ie8ka2QqZAhPMDHy2Y8zf0obNB/RTG/SHSdMc
-j2jdL1cUPcPOG+c2yLsgap+lpFpHZgeiTFY9775F3ODrADOiS2k5XkQCTz/n/Z3z
-QOhz2T1RM8aa+xjk33YFJyVfYKQGEXfQwJ/RSJjMglDsJSE+py1ZPj4TzYnXfcjr
-f26ReNcqL1/0sTSMf14OIKYEBNN8L4zQHX8BWY8EhPc8qBxspJQzH8imbNYb0x/M
-+X0kZJbsEpO5JRD70KOoOM8vmStAglWTbbt9JLDjL98Ks54+Si9fgGql8njyo96V
-vwNihqd8kqEk9STXKwJZzmkXvcs8WDuFUuLDtQYjk6GMT17e10TgmA==
------END RSA PRIVATE KEY-----

devstack/pregenerated/certs/private/server_ca.key.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,B6C2D5A9657E9635BE06551CAD6EF969
+
+N90cGt5rEntmiPvIAQwbO9W02blpDRZLJYMJeqttqxttnq6+InYQL3M4nJmR8XVz
+/bCjWhMQlh5kEKzBtjhu5xFXqYhF3q9UcA6/13VY4gicrSHwwpoVLP0X2IXFp6ub
+t4haSggaH6F2ZxF9DJCVG6+GyqOpuTPlGD4QiEf40NTo7x2H+JCEveLsIaSUljTV
+W/XZDk1RSo8hMpr+huqCQOZxfhEuM76gSK8wPW3nCzVoBMCk/1RpMcXq8A7FT9gd
+0V+2jwucDPOEVrTLmYjh/Aln6ATdte2l/b9XKPnAoVW6psYw83pu2hXtjgfCI+ey
+IbRvzJ9djPvx0qhEu/EQIcKLFfNt/+OExm7rce8+O6NcB1x+bFbvCLamPYQxtcjE
+xjqOWD0QT+VtIdqnG631jctN2mocmhVWfmp6le1RlkwfKSsbS1lb6Lcj/TasTlai
+5c6hfYB83drlJUw0374PuWn8Tb62HGaROK8JEG07CcgNT1l8KXHrCpLzwEQvRtP+
+Bze+mlbjScm21ny280huQz5hiNdDrH9q/YzVHcHEVICAnimEsZeaQCyEt0Um9h56
+gvTZ6Udh/SeetBsL77hQ3EwDYs2nNdacaOIu5tASrfdMXWdSiLiNR8zK7y7x4a0b
+GrgrerYJPWdb2axy4rrhzzlPRTHCJL1gA/E3CYC5mObk07tCMoQt7Ak3dofto9jG
+1CSRLGqbP31k7tXBOLCwNAYekQkDWRQV4u0vf2aWJdLjxLwiX7424E6p/cvaUi5B
+Sv+Iit3Zuee7Tq6DK0rv+5oWZmyfC/rzHcqmAMUhnjfBBlcI1N22BrBEBpfX6zq1
+DnIwiS9ayJMzaExSS+tBuqoHuoLMo2Fn++NpYxIUrwtQBvAD1Qxqx6QacTGFK025
+UpyV/ML+FdENujwU6KYYdciHX3E7nU4UYC/qwT7u9B/k3OiTS37GSlnz4ZkU34cF
+UiBcN2gXqYYxsonD37vUX40oTjrQYaQJbWcGgcyNw7Z5U4GV7t1ZFcxNBuE485pE
+jqZiDkeP5zmk+r9AB7djUpcowQ0TpPs1SthPsllv/LidusA8DwmeGp063fa1wScv
+gH6iJ40HRc7ffwN4ikk409L8awjpSA+HyXC+BsjIaG9uyaoy6XpjjQHrl/kZgeS2
+Nm3wvq00OFKYLi8UgmXlrRNMyNc/osTSAesdJeaiNHUM/+nrdTL1SaOvht/6i07B
+bG7Vqv3LtpWvd8fDhSPR/1eiBaYBzDJ+jx25oX5Wbv4/AbsG5/BEgfrBJnMddPyv
+Y8X6LY3IpUqRx1sf1L3ia3YxWp5r3bfcCQvVL0W6brEKxbw8BTHFrS3qaBOOfLrC
+XuiMKEUcSlexxYnYcJr1RnBYQ4HqcAOCbqQAhXqFv5nge+5gSskP8MS/FtGZ0+nm
+wi2ak3WmZbpr08mVnjHVhhxnuuVm7esYhNJLwXvSITXfUPPgpjvzYe0ABLdtWVuo
+s4NsU/1XG33I4r+gnrHQyFxsgaZ3rr5VpcbTHLzDzBgTRWk06AZB/nxyfAexE67U
+VHRL+4FP+ee5CxpWkT8i0/n2PJ/U/42+pglZmxEzIw76PqcT0aqmnpSwsEnnMH0w
+-----END RSA PRIVATE KEY-----

devstack/pregenerated/certs/server_ca-chain.cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
+CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
+MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
+BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
+A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
+VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
+Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
+KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
+oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
+tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
+aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
+Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
+CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
+Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
+3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
+/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
+VA==
+-----END CERTIFICATE-----

devstack/pregenerated/certs/server_ca.cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
+BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
+CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
+MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
+BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
+A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
+VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
+Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
+KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
+oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
+tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
+aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
+Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
+CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
+Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
+3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
+/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
+VA==
+-----END CERTIFICATE-----