Ask Your Question

Can I authenticate using X.509 client certificates?

asked 2012-05-31 12:44:08 -0500

Hi there,

we have a use case where users have X.509 client certificates. The current draft of the Identity API v3 [1] states "The 'just a token' has been the starting requirement, and with PKI coming online, it provides a resource path for the tokens independent of linkages to anything else."

How would I set this up and can it be done with any version of Keystone that is available today? I am currently running stable/essex from a devstack installation. I do know how to setup WSGI services in an Apache2 [2], such that the real "authentication" (the user proving that he has the private data beloging to the certificate) leads to an X.509 DN which should be mapped to a Keystone user. Can this DN be considered the "token"? I guess for a direct mapping the tenant for one user would have to be fixed, but this seems to be a limitation of other already documented credential mechanisms as well. I think one could even add a header to the HTTP(S) request to pass in the Tenant in addition to the user credential.

Best regards, Björn

[1] ( [2] (

edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted

answered 2012-06-05 06:59:33 -0500

Thanks a lot for the answer. I do have another one regarding XACML, but that will be another post.


edit flag offensive delete link more

answered 2012-05-31 12:58:24 -0500

I just now saw the pki blueprint at (

so it looks as though something is in the queue.

edit flag offensive delete link more

answered 2012-06-04 16:06:54 -0500

heckj gravatar image

It is something in the queue - and isn't implemented today. The V3 API draft was published all of a week ago, and the PKI functionality in rough implementation is in process now (per the blueprint you cited)


edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-05-31 12:44:08 -0500

Seen: 24 times

Last updated: Jun 05 '12