On 06/25/2014 07:57 AM, Sam Morrison wrote:
On 25 Jun 2014, at 9:05 am, Adam Young <[email protected]> wrote:
On 06/23/2014 07:37 PM, Sam Morrison wrote:
Hi Adam,
Thanks for the advice, I’ve tested it out and it is possible to switch over
pretty seamlessly.
Here is what I did (spelt out in full for others reading):
1. Generate a new signing key
2. Generate a new certificate request
3. Sign this with the existing CA to generate a new signing_cert.
4. Append the new signing cert to the old signing cert. Make sure the old cert
is first in the file.
5. Remove all signing certs from all your hosts to force nova etc to download
the new signing_cert(s)
6. Replace the signing key with the new signing key AND at the same time flip
the signing_cert file so the new signing cert is now first in the file.
After the old cert has expired you can safely remove the old signing cert from
the file.
It would be great if keystoneclient could have a max_age on the signing_cert so
it would periodically download a fresh one. I would think if it downloaded a
new one every 7 days or so would suffice.
Even better would be for it to look at the expiration date of the certificate
and look for a fresh download if we are close to expired. Tweakable params
would be how often to check, and how big a window to consider for a download.
Yeah that would be great. I’m starting to think signing_cert should be split
into two functions. The signing cert on the keystone server that is used by
keystone to sign tokens.
Then a signing trusts file which is what all the openstack services download.
Then you can add all the certs you’re using for signing. Would support having
different signing keys if you’re using multiple keystone servers. Plus easier
to support renewing keys.
Of course this is all possible now except you just need to get your ordering
right as when keystone is signing it uses the first cert in the file.
Signing is done using the specified key, not the cert. Since we strip
the cert out of the signed document (token) there is no need to specify
which cert to use.
Sam
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
