878ea354a4
Allow a CA certificate to be specified, and automatically add it to the default system CA bundle via a new "ssl-ca" DIB element. This is required for sites which use their own Certificate Authority. This DIB element is safe to include on all images, regardless of whether or not it is activated with a valid CA certificate. Based on SSL PKI spec: I32473fe797a4c1e28d14c3b82c8892c7c59a4e55 Depends on t-h-t update for ssl.ca_certificate property via Heat: Ibacd7c98980520e11c0df89632013f2ba2dbe370 Change-Id: I3441b4b688aacb2bb8d8326ee72f87974dd554ff |
||
|---|---|---|
| .. | ||
| os-apply-config/etc/ssl | ||
| os-refresh-config/configure.d | ||
| README.md | ||
Install and trust a CA at the operating system level, making it available for use by OpenStack services and other network clients authenticating SSL-secured connections.
Configuration
ssl: ca_certificate: certdata
The CA certificate will be written to /etc/ssl/from-heat-ca.crt and installed using update-ca-certificates (apt-based distros) or update-ca-trusts (yum-based distros).
This may be used in conjunction with openstack-ssl to enable SSL-secure connections between OpenStack services, or independently to enable secure integration with external resources such as Keystone -> LDAP server or Cinder -> external backend.
If multiple CA certificates are to be trusted, they should be concatenated in PEM format within the single ca_certificate property defining the trust store.