Updating certificates-for-pki content

Documenting how to switch out expired signing certificates with no cloud outage. Change-Id: Ib7eabbcc8c977796d5ed3eb83b54a3ce9d98cc0d Closes-bug: #1333503
2015-06-11 12:04:04 +10:00 · 2015-06-11 12:04:04 +10:00 · 8c08d85b06
commit 8c08d85b06
parent b788a6bfc6
1 changed files with 51 additions and 2 deletions
--- a/doc/common/section_keystone_certificates-for-pki.xml
+++ b/doc/common/section_keystone_certificates-for-pki.xml
@ -132,11 +132,11 @@ SrWY8lF3HrTcJT23sZIleg==</screen>
            following conditions:</para>
        <itemizedlist>
            <listitem>
-                <para>all certificate and key files must be in Privacy
+                <para>All certificate and key files must be in Privacy
                    Enhanced Mail (PEM) format</para>
            </listitem>
            <listitem>
-                <para>private key files must not be protected by a
+                <para>Private key files must not be protected by a
                    password</para>
            </listitem>
        </itemizedlist>
@ -253,4 +253,53 @@ emailAddress            = keystone@openstack.org
            sure it is reflected in the <literal>[signing]</literal>
            section of the configuration file.</para>
    </section>
+    <section xml:id="switching-expired-signing-certs">
+        <title>Switching out expired signing certificates</title>
+          <para>The following procedure details how to switch out
+              expired signing certificates with no cloud outages.</para>
+            <procedure>
+              <step>
+                <para>
+                   Generate a new signing key.
+                </para>
+              </step>
+              <step>
+                <para>
+                   Generate a new certificate request.
+                </para>
+              </step>
+              <step>
+                <para>
+                   Sign the new certificate with the existing CA to generate a new
+                   <filename>signing_cert</filename>.
+                </para>
+              </step>
+              <step>
+                <para>
+                   Append the new <filename>signing_cert</filename> to
+                   the old <filename>signing_cert</filename>. Ensure
+                   the old certificate is in the file first.
+                </para>
+              </step>
+              <step>
+                <para>
+                    Remove all signing certificates from all your hosts to force OpenStack
+                    Compute to download the new <filename>signing_cert</filename>.
+                </para>
+              </step>
+              <step>
+                <para>
+                    Replace the old signing key with the new signing key.
+                    Move the new signing certificate above the old certificate
+                    in the <filename>signing_cert</filename> file.
+                </para>
+              </step>
+              <step>
+                <para>
+                    After the old certificate reads as expired, you can safely remove
+                    the old signing certificate from the file.
+                </para>
+              </step>
+            </procedure>
+    </section>
 </section>