How do people go about installing additional keystone nodes when it comes to the PKI infrastructure. Do you run keystone-manage pki_setup on each node (also the additional nodes). Or is there some of the SSL infrastructure to re-use?
Running 'keystone-manage pki_setup' on each node seems to work. Is there a better way to do it? Is there any documentation?
You'll need to copy over the certificates and manually install them in the right location. Then edit the keystone.conf file in the additional nodes to point it to the right cert and key.
# Path of the certfile for token signing. (string value)
certfile=/etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for token signing. (string value)
keyfile=/etc/keystone/ssl/private/signing_key.pem
# Path of the CA for token signing. (string value)
ca_certs=/etc/keystone/ssl/certs/ca.pem
# Path of the CA Key for token signing. (string value)
ca_key=/etc/keystone/ssl/private/cakey.pem
# Key Size (in bits) for token signing cert (auto generated
# certificate). (integer value)
key_size=2048
Btw, pki_setup is just for evaluational purposes. In the real world, you'll use a proper TLS cert from a CA or after September 2015, https://letsencrypt.org
Asked: 2013-10-22 02:30:49 -0500
Seen: 275 times
Last updated: Apr 06 '15