Ask Your Question
1

Is it possible to use certificate generated by pki_setup for ssl(https) ?

asked 2014-10-31 12:58:07 -0500

deeghuge gravatar image

Hello, I have generated certificate for signing using keystone-manage pki_setup. Is it possible to use same certificate for ssl ? When i tried to do it i got following error while listing the user.

keystone --os-cacert /etc/keystone/ssl/certs/ssl_cacert.pem --os-auth-url https://localhost:35357/v2.0 --os-username admin --os-password Passw0rd --os-tenant-name service user-list
Authorization Failed: SSL exception connecting to https://localhost:35357/v2.0/tokens

I was able to add the user,tenant, role using --insecure option in keystone client.

Am i missing something here ?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
2

answered 2014-11-01 23:59:22 -0500

updated 2014-11-02 00:01:38 -0500

Every cert has attributes called "Extended Key usage" and "Key usage" . This attribute is multi value attribute. If any of them has "Server authentication", then it can be used as "SSL Certificate". If it has "Digital Signature" value then it can be used for PKI.

PKI certs generated by keystone has both the values, so in theory it can be used as server cert.

The client will try to validate the cert. It does 3 types of validation. They are 1) expiry date, CN==Hostname and issuers trust. If any of them fails, then you can't establish SSL connection. But you can get around this by using --insecure option in most of the case.

Keystone generates SSL certs with CN=localhost and PKI cert with some other name. You are hitting the host "localhost" and the CN of the generated cert doesn't match if you use PKI certs as server certs. So SSL connection fails. As you have said, with --insecure options it will work.

Even if you use keystone generated SSL cert, it will work as long as your URL has localhost. If you use IP address or hostname, it won't work due to the same reason.

BTW keystone generated certs are self signed certs and you should not use them for production

edit flag offensive delete link more

Comments

Yes, as you pointed out PKI certificate with correct name works for ssl. One thing we noticed is that PKI works with any name in the certificate. Is it correct that there is no name validation done in PKI ?

deeghuge gravatar imagedeeghuge ( 2015-01-13 01:45:02 -0500 )edit

PKI is used for signing. Signing only relies on cert keys and not CN (name ) of the cert

Haneef Ali gravatar imageHaneef Ali ( 2015-01-13 11:20:59 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-10-31 12:58:07 -0500

Seen: 1,059 times

Last updated: Nov 02 '14