Ask Your Question

Revision history [back]

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you are using signing certs for ssl setup. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I don't think keystone implements 2 way ssl feature correctly.

Following is just to give you an idea. Don't expect any of these feature in OS services

Normally the parameter will have 3 options . cert_required = no // Server doesn't expect client cert cert_required = optional // If the client sends cert, then the server will use it cert_required = yes // Cert is mandatory and the client has to send it

How can you use client cert in OS services? Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token.

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you are using signing certs for ssl setup. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I don't think keystone implements 2 way ssl feature correctly.

Following is just to give you an idea. Don't expect any of these feature in OS services

Normally  the parameter will have 3 options . 
cert_required = no           // Server doesn't expect client cert
cert_required = optional   // If the client sends cert, then the server will use it
cert_required = yes   //  Cert is mandatory and the client has to send it

it How can you use client cert in OS services? Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token.

cert_required is for 2 way ssl. Do you really want to use 2 way ssl? Also you are using signing certs for ssl setup. setup?. They are meant for PKI tokens. If you use keystone-manage to generate self signed certs for ssl, it will generate differnt cert for ssl.

To answer your question, don't use cert_required as it is for 2 way ssl and I don't think any openstack service client supports it. I also don't think keystone implements 2 way ssl feature correctly.

Following is just to give you an idea. This is how normally client certs will be implemented. Don't expect any of these feature in OS services

Normally  the parameter will have 3 options . 
cert_required = no           // Server doesn't expect client cert
cert_required = optional   // If the client sends cert, then the server will use it
cert_required = yes   //  Cert is mandatory and the client has to send it

How  can you use client cert  in OS services?
   Now all openstack services such as nova/swfit use service account to validate the token. Instead of service account, each service can be given a client cert and they can use client cert to validate the token.