On 29 October 2015 at 12:43, Major Hayden <ma...@mhtx.net> wrote: > On 10/29/2015 04:33 AM, McPeak, Travis wrote: > > The only potential security drawback is that we are introducing a new > > asset to protect. If we create the tools that enable a deployer to > > easily create and administer a lightweight CA, that should add > > significant value to OpenStack, especially for smaller organizations > > that don't have experience running a CA. > > This is certainly true. However, I'd like to solve for the use of > self-signed SSL certificates in openstack-ansible first. > > At the moment, each self-signed certificate for various services is > generated within each role. The goal would be to make a CA at the > beginning and then allow roles to utilize another role/task to issue > certificates from that CA. The CA would most likely be located on the > deployment host. > > Deployers who are very security conscious can provide keys, certificates, > and CA certificates in the deployment configuration and those will be used > instead of generating self-signed certificates. >
I would argue that self-signed certificates only provide an illusion of security and the tasks we have to generate and distribute them should be removed entirely. My thinking is that if a deployer wants to use self-signed certs, then the deployer can create them and provide their details as user-provided certs. That way we can do without a whole block of code and the dependency on memcache for distribution. This makes the decision to use the self-signed certs a more deliberate one and also takes care of the complexity of certificate distribution. That said, I applaud the idea of using a CA role. There are a few in Ansible Galaxy, but I've found their implementations to be rather complex whereas I think they can be pretty simple. I have actually done a fair amount of work on the CA setup part of things in my not-yet-complete ansible-openvas role [1]. You are welcome to use this work as a starting base and develop a role which sets up a CA. The trouble I found when looking into how to do this properly was that there should be several CA's (one offline primary and more than one secondary which actually does the signing). This will mean that the role will require quite a bit of guidance for using it correctly and setting up a single CA or multi-CA environment. Whether you develop a new role for the OpenStack-Ansible toolbox, or develop documentation for consuming an existing role in Ansible Galaxy, the concept is certainly welcome and would go a long way to simplifying a secure-by-default implementation of OpenStack. [1] https://github.com/odyssey4me/ansible-openvas/blob/master/tasks/install_openssl_ca.yml --- Jesse IRC: odyssey4me
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
