openstack
/
openstack-ansible-os_octavia
Code Issues Proposed changes

Merge "Use PKI role for certificate generation"

This commit is contained in:
Zuul 2022-06-08 01:24:14 +00:00 committed by Gerrit Code Review
parent 2bcdfdb61a 757aecd58b
commit 2490e5a64e
7 changed files with 132 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
defaults/main.yml
View File

@ -430,40 +430,116 @@ octavia_network_driver: allowed_address_pairs_driver
# Set the host which will execute the openssl_* modules
# for the certificate generation. The host must already
# have access to pyOpenSSL.
octavia_cert_setup_host: "{{ openstack_cert_setup_host | default('localhost') }}"
octavia_cert_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# Set the directory where the certificates will be stored
# on the above host. If the host is localhost, then the user
# running the playbook must have access to it.
octavia_cert_dir: "{{ lookup('env', 'HOME') }}/openstack-ansible/octavia"
octavia_cert_dir: "{{ openstack_pki_dir | default(lookup('env', 'HOME') ~ '/openstack-ansible') }}"
octavia_cert_keys_dir: "{{ octavia_cert_dir }}/certs/private/"
octavia_cert_certs_dir: "{{ octavia_cert_dir }}/certs/certs/"
octavia_cert_dir_owner: "{{ lookup('env', 'USER') }}"
octavia_cert_key_length_server: '4096' # key length
octavia_cert_cipher_server: 'auto'
octavia_cert_cipher_client: 'auto'
octavia_cert_key_length_client: '4096' # key length
octavia_cert_server_ca_subject: '/C=US/ST=Denial/L=Nowhere/O=Dis/CN=www.example.com' # change this to something more real
octavia_cert_client_ca_subject: '/C=US/ST=Denial/L=Nowhere/O=Dis/CN=www.example.com' # change this to something more real
octavia_cert_client_req_common_name: 'www.example.com' # change this to something more real
octavia_cert_client_req_country_name: 'US'
octavia_cert_client_req_state_or_province_name: 'Denial'
octavia_cert_client_req_locality_name: 'Nowhere'
octavia_cert_client_req_organization_name: 'Dis'
octavia_cert_validity_days: 1825 # 5 years
octavia_generate_client_cert: True # generate self signed client certs
octavia_generate_certs: True
octavia_generate_certs: True # generate self signed client certs
octavia_generate_client_cert: True
octavia_generate_ca: True
octavia_regenerate_client_cert: ''
octavia_regenerate_ca: ''
# client certs
octavia_client_ca_key: "{{ octavia_cert_dir }}/ca_01.key"
octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
octavia_client_cert: "{{ octavia_cert_dir }}/client.pem"
# server
octavia_server_ca: "{{ octavia_ca_certificate }}"
# ca certs
octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem"
octavia_cert_authorities:
- name: "OctaviaServerRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Server CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_ca_private_key_passphrase }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
- name: "OctaviaClientRoot"
country: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
cn: "Octavia Client CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+{{ octavia_cert_validity_days }}d"
octavia_cert_certificates:
- name: "octavia_client"
provider: ownca
cn: "{{ octavia_cert_client_req_common_name }}"
signed_by: "OctaviaClientRoot"
ownca_key_passphrase: "{{ octavia_cert_client_password }}"
key_usage:
- nonRepudiation
- digitalSignature
- keyEncipherment
extended_key_usage:
- clientAuth
- emailProtection
# Installation details for SSL certificates
octavia_cert_install_certificates:
# Server CA
- src: "{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}"
dest: "/etc/octavia/certs/server_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
- src: "{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}"
dest: "/etc/octavia/certs/ca_key.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
# Client CA
- src: "{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}"
dest: "/etc/octavia/certs/client_ca.pem"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
# Client certificate
- src: "{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}"
dest: "/etc/octavia/certs/client.pem.crt"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
- src: "{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}"
dest: "/etc/octavia/certs/client.pem.key"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
# Custom client CA
#octavia_client_ca: "{{ octavia_cert_dir }}/ca_01.pem"
## Custom client certs
#octavia_client_cert: "{{ octavia_cert_dir }}/client.pem"
#octavia_client_key: "{{ octavia_cert_dir }}/client.key.pem"
## server
#octavia_server_ca: "{{ octavia_ca_certificate }}"
## ca certs
#octavia_ca_private_key: "{{ octavia_cert_dir }}/private/cakey.pem"
octavia_ca_private_key_passphrase: "{{ octavia_cert_client_password }}"
octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
octavia_signing_digest: sha256
#octavia_ca_certificate: "{{ octavia_cert_dir }}/ca_server_01.pem"
# Quotas for the Octavia user - assuming active/passive topology
octavia_num_instances: 10000 # 5000 LB in active/passive

53
tasks/main.yml
View File

@ -95,17 +95,6 @@
tags:
- always
- include_tasks: octavia_certs.yml
args:
apply:
tags:
- octavia-config
when:
- octavia_generate_certs | bool
- _octavia_is_first_play_host
tags:
- always
- name: Gather variables for installation method
include_vars: "{{ octavia_install_method }}_install.yml"
tags:
@ -115,19 +104,43 @@
tags:
- octavia-install
- name: Create and install SSL certificates
include_role:
name: pki
vars:
pki_setup_host: "{{ octavia_cert_setup_host }}"
pki_dir: "{{ octavia_cert_dir }}"
pki_create_ca: "{{ octavia_generate_ca }}"
pki_regen_ca: "{{ octavia_regenerate_ca }}"
pki_authorities: "{{ octavia_cert_authorities }}"
pki_create_certificates: "{{ octavia_generate_client_cert }}"
pki_regen_cert: "{{ octavia_regenerate_client_cert }}"
pki_certificates: "{{ octavia_cert_certificates }}"
pki_install_certificates: "{{ octavia_cert_install_certificates }}"
when:
- octavia_generate_certs | bool
tags:
- always
- name: Assemble SSL certificates
assemble:
src: /etc/octavia/certs/
dest: /etc/octavia/certs/client.pem
regexp: '(client\.pem\.crt|client\.pem\.key)$'
notify:
- Restart octavia services
- Restart uwsgi services
when:
- octavia_generate_certs | bool
tags:
- octavia-config
- octavia-install
- import_tasks: octavia_install.yml
tags:
- octavia-install
- include_tasks: octavia_certs_distribute.yml
args:
apply:
tags:
- octavia-config
when: octavia_generate_certs | bool
tags:
- always
- name: Import uwsgi role
import_role:
name: uwsgi

186
tasks/octavia_certs.yml
View File

@ -1,186 +0,0 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Prepare octavia_cert_setup_host for certificate generation
delegate_to: "{{ octavia_cert_setup_host }}"
delegate_facts: true
vars:
ansible_python_interpreter: >-
{{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
block:
- name: Create certificate directories
file:
path: "{{ item.path }}"
state: directory
mode: "{{ item.mode }}"
owner: "{{ octavia_cert_dir_owner }}"
with_items:
- { path: "{{ octavia_cert_dir }}", mode: '0750' }
- { path: "{{ octavia_cert_dir }}/newcerts", mode: '0750'}
- { path: "{{ octavia_cert_dir }}/private", mode: '0750'}
# ansible's openssl_certificate can't create X509 extensions
# but you need CA: true in Basic Constraints to have a CA cert
# set up openssl for use
- name: Touch index.txt
file:
path: "{{ octavia_cert_dir }}/index.txt"
state: touch
mode: 0755
- name: Init serial
copy:
content: "01"
dest: "{{ octavia_cert_dir }}/serial"
force: no
- name: Generate openssl.conf
template:
src: "templates/openssl.conf.j2"
dest: "{{ octavia_cert_dir }}/openssl.cnf"
mode: 0440
- name: Create the server CA private key
openssl_privatekey:
path: "{{ octavia_ca_private_key }}"
passphrase: "{{ octavia_ca_private_key_passphrase }}"
cipher: "{{ octavia_cert_cipher_server }}"
size: "{{ octavia_cert_key_length_server }}"
- name: Create server CA certificate
command: >
openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }} \
-config {{ octavia_cert_dir }}/openssl.cnf \
-subj "{{ octavia_cert_server_ca_subject }}" \
-days {{ octavia_cert_validity_days }} \
-out {{ octavia_ca_certificate }}
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_ca_certificate }}"
- name: Store octavia ca private key
slurp:
src: "{{ octavia_ca_private_key }}"
register: _octavia_ca_private_key
changed_when: false
- name: Store octavia ca cert
slurp:
src: "{{ octavia_ca_certificate }}"
register: _octavia_ca_certificate
changed_when: false
# same as octavia ca cert
- name: Store octavia server ca
slurp:
src: "{{ octavia_server_ca }}"
register: _octavia_server_ca
changed_when: false
- name: Register a fact for the CA cert and key
set_fact:
octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}"
# These are run at the very first installation of Octavia
# While Octavia acts as a CA for the server certificates,
# for the amphora it only needs a client certificate and
# the (public) certificate authority certificate.
# Generating the secret key here and storing it
# on the deploy host allows us to rotate the client
# certificate without recycling the amphora since
# we can keep the same CA.
- name: Generate keys/certificates on octavia_cert_setup_host
delegate_to: "{{ octavia_cert_setup_host }}"
delegate_facts: true
vars:
ansible_python_interpreter: >-
{{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
when: octavia_generate_client_cert | bool
block:
- name: Create the client CAs private key
openssl_privatekey:
path: "{{ octavia_client_ca_key }}"
passphrase: "{{ octavia_cert_client_password }}"
cipher: "{{ octavia_cert_cipher_client }}"
size: "{{ octavia_cert_key_length_client }}"
- name: Create client CA certificate
command: >
openssl req -x509 -passin pass:'{{ octavia_cert_client_password }}' -new -nodes -key {{ octavia_client_ca_key }} \
-config {{ octavia_cert_dir }}/openssl.cnf \
-subj "{{ octavia_cert_client_ca_subject }}" \
-days {{ octavia_cert_validity_days }} \
-out {{ octavia_client_ca }}
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_client_ca }}"
- name: Create the client cert private key
openssl_privatekey:
path: "{{ octavia_cert_dir }}/client.key"
size: "{{ octavia_cert_key_length_client }}"
- name: Create client cert CSR
openssl_csr:
path: "{{ octavia_cert_dir }}/client.csr"
common_name: "{{ octavia_cert_client_req_common_name }}"
country_name: "{{ octavia_cert_client_req_country_name }}"
state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
locality_name: "{{ octavia_cert_client_req_locality_name }}"
organization_name: "{{ octavia_cert_client_req_organization_name }}"
privatekey_path: "{{ octavia_cert_dir }}/client.key"
- name: Create client certificate
command: >
openssl ca -passin pass:'{{ octavia_ca_private_key_passphrase }}' -config {{ octavia_cert_dir }}/openssl.cnf \
-in client.csr -days {{ octavia_cert_validity_days }} -out client-.pem -batch
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_cert_dir }}/client-.pem"
# use cat to avoid mangling the certs
- name: Generate single pem client.pem
shell: "cat client-.pem client.key >{{ octavia_client_cert }}"
args:
chdir: "{{ octavia_cert_dir }}"
creates: "{{ octavia_client_cert }}"
tags:
- skip_ansible_lint
- name: Store octavia client ca
slurp:
src: "{{ octavia_client_ca }}"
register: _octavia_client_ca
changed_when: false
- name: Store octavia client cert
slurp:
src: "{{ octavia_client_cert }}"
register: _octavia_client_cert
changed_when: false
- name: Register a fact for the cert and key
set_fact:
octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}"
octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}"

29
tasks/octavia_certs_distribute.yml
View File

@ -1,29 +0,0 @@
---
- name: Create certs directory
file:
path: /etc/octavia/certs/
state: directory
- name: Copy certificates
copy:
content: "{{ item.content }}"
dest: "{{ item.dest }}"
owner: "{{ octavia_system_user_name }}"
group: "{{ octavia_system_group_name }}"
mode: "0640"
no_log: true
with_items:
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_private_key_fact'] }}"
dest: "/etc/octavia/certs/ca_key.pem"
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_certificate_fact'] }}"
dest: "/etc/octavia/certs/ca.pem"
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_server_ca_fact'] }}"
dest: "/etc/octavia/certs/server_ca.pem"
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_ca_fact'] }}"
dest: "/etc/octavia/certs/client_ca.pem"
- content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_cert_fact'] }}"
dest: "/etc/octavia/certs/client.pem"
notify:
- Restart octavia services
- Restart uwsgi services

4
templates/octavia.conf.j2
View File

@ -66,10 +66,10 @@ memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcached_encryption_key }}
[certificates]
ca_certificate = /etc/octavia/certs/ca.pem
ca_certificate = /etc/octavia/certs/server_ca.pem
ca_private_key = /etc/octavia/certs/ca_key.pem
ca_private_key_passphrase = {{ octavia_ca_private_key_passphrase }}
signing_digest = {{ octavia_signing_digest }}
signing_digest = sha256
{% if octavia_barbican_enabled %}
cert_manager = barbican_cert_manager
endpoint_type = {{ octavia_clients_endpoint }}

263
templates/openssl.conf.j2
View File

@ -1,263 +0,0 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = "{{ octavia_cert_dir }}" # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = "{{ octavia_client_ca }}" # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = {{ octavia_client_ca_key }}# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)

4
zuul.d/project.yaml
View File

@ -18,8 +18,6 @@
- check-requirements
- openstack-ansible-linters-jobs
- openstack-ansible-deploy-aio_metal-jobs
# Need to add support of distro installs before
# adding the next job template
# - openstack-ansible-deploy-aio_distro_metal-jobs
- openstack-ansible-deploy-aio_distro_metal-jobs
- publish-openstack-docs-pti
- build-release-notes-jobs-python3