Hi, Tomasz is right. Let's try not to complicate the things. For 6.0 we'll allow just upload key, csr, certificate (like 3 edit boxes), or these edit boxes will be greyed if customer allows to generate self-signed certificates.
-- Best regards, Sergii Golovatiuk, Skype #golserge IRC #holser On Wed, Sep 10, 2014 at 1:40 PM, Tomasz Napierala <tnapier...@mirantis.com> wrote: > > On 10 Sep 2014, at 12:54, Simon Pasquier <spasqu...@mirantis.com> wrote: > > > Hello, > > > > Lets back up a bit and list the different options for Fuel users: > > 0/ The user is happy with plain HTTP. > > => Already supported :) > > 1/ The user wants HTTPS but doesn't want the burden associated with > certificate management. > > => Fuel creates and manages the SSL certificates, be them self-signed or > signed by some internal CA. > > => Using an internal CA instead of multiple self-signed certificates is > cleaner as you explained. > > 2/ The user wants HTTPS and wants to use certificates which are > generated by an external source (either some internal corporate PKI or some > public certificate authority) > > => Fuel supports certificate + key uploads > > => It should be possible to tell Fuel which entity (Fuel, OSt > environment) uses which certificate > > 3/ The user wants HTTPS and agrees to let Fuel generating certificates > on behalf of some corporate PKI. > > => Fuel supports CA + key uploads > > > > I think that option 1 is the way to go for a first approach. Option 2 is > definitely something that end-users would need at some point. I'm less > convinced by option 3: if I were a PKI admin, I'll be reluctant to let Fuel > generate certificates on its own. Also my gut feeling tells me that > implementing 1 & 2 is already quite a lot of work. > > > > I've also added some questions/comments inline. > > Regarding > After careful consideration, I think that for 6.0 we will only be able to > implement [2] with limited functionality. In terms of certificate > management, we could offer uploading customer generated cert (and maybe > provide shot doc on how to spawn CA + sign certs) or if user does not want > to do it, generate simple self signed cert and install it on Fuel http > server and let user download it. > > After 6.0 we can concentrate on proper implementation of CA management, > and then allow Fuel master node part to use it. > > [1] https://blueprints.launchpad.net/fuel/+spec/ca-deployment > [2] https://blueprints.launchpad.net/fuel/+spec/fuel-ssl-endpoints > [3] https://blueprints.launchpad.net/fuel/+spec/ssl-endpoints > -- > Tomasz 'Zen' Napierala > Sr. OpenStack Engineer > tnapier...@mirantis.com > > > > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev