You can configure the Identity Service to support two-way SSL. You must obtain the x509 certificates externally and configure them. The Identity Service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories: cacert.pem Certificate Authority chain to validate against. ssl_cert.pem Public certificate for Identity Service server. middleware.pem Public and private certificate for Identity Service middleware/client. cakey.pem Private key for the CA. ssl_key.pem Private key for the Identity Service server. You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example.

When running keystone-all, the server can be configured to enable SSL with client authentication using the following instructions. Modify the [eventlet_server_ssl] section in the etc/keystone.conf file. The following SSL configuration example uses the included sample certificates: [eventlet_server_ssl] enable = True certfile = <path to keystone.pem> keyfile = <path to keystonekey.pem> ca_certs = <path to ca.pem> cert_required = True enable. True enables SSL. Default is False. certfile. Path to the Identity Service public certificate file. keyfile. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile. ca_certs. Path to the CA trust chain. cert_required. Requires client certificate. Default is False. When running the Identity Service as a WSGI service in a web server such as Apache httpd, this configuration is done in the web server instead. In this case the options in the [eventlet_server_ssl] section are ignored.