We are working on FreeIPA integration. It comes with Dogtag integrated.
http://www.freeipa.org/page/Main_Page
http://pki.fedoraproject.org/wiki/PKI_Main_Page
On 09/05/2013 04:05 AM, Somanchi Trinath-B39208 wrote:
Thanks a lot Jeff...
Will go through this..
--
Trinath Somanchi - B39208
trinath.soman...@freescale.com | extn: 4048
-----Original Message-----
From: Jeffrey Walton [mailto:noloa...@gmail.com]
Sent: Thursday, September 05, 2013 12:51 PM
To: Somanchi Trinath-B39208
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] Keystoner as Certificate Authority
On Thu, Sep 5, 2013 at 2:41 AM, Somanchi Trinath-B39208 <b39...@freescale.com>
wrote:
Can you suggest me on any CA service work going on with Openstack.
The Security Guide discusses it a bit,
http://www.openstack.org/blog/2013/07/openstack-security-guide-now-available/.
From page 73.0 / 300: "It is recommended that the OpenStack cloud architect rely on
distinct sets of CAs -- one or more for the management network and internal service
communications, and the trusted set of public CA providers for allowing external users to
verify the identity of the public cloud endpoints. Configuring the internal service
communications to only rely on an internal CA can help reduce the risk of accidental
authentication of users with valid certificates issued by public CAs from being trusted
by the internal services."
Don't let the "trusted set of public CA" fool you. Trust is a bit misleading
here - its more like the preloaded set of CAs and sub-CAs in your browsers [loosely]
operating under the Internet profile (PKIX). Anything from Digicert, Verisgn, etc will do.
Also look at the case study on page 80.0 / 300, where a brief Case Study is
performed for both a public cloud and private cloud.
There's a lot to running a PKI for the internal network. The Security Guide
presupposes a PKI is available, and there's someone (or a team) actively
managing it. In this case, Google is your friend:
https://www.google.com/#q=certification+authority+best+practice.
If you want a free SSL/TLS certificate trusted by many (most?) browsers for
external users, then check out Eddy Nigg's StartCom.
(Most of the cost is in revocation, so that's where StartCom charges for its
services. Brilliant!).
Jeff
-----Original Message-----
From: Jeffrey Walton [mailto:noloa...@gmail.com]
Sent: Thursday, September 05, 2013 10:37 AM
To: Somanchi Trinath-B39208
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] Keystoner as Certificate Authority
On Thu, Sep 5, 2013 at 12:40 AM, Somanchi Trinath-B39208 <b39...@freescale.com>
wrote:
Can we use Keystone as Certificate Authority. Kindly help me in
I can't answer if it can be used to issue certs, but I can tell you it should
not be. That portion of the infrastructure needs to be segregated with a well
defined security zone or boundary.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
