On 10/29/2015 08:42 AM, Clark, Robert Graham wrote: > It sounds like what you probably need is a lightweight CA, without > revocation, that gives you some basic constraints by which you can restrict > certificate issuance to just your ansible tasks and that could potentially be > thrown away when it’s no longer required. Particularly something light enough > that it could live on any deployment/installer node. > > This sounds like it _might_ be a good fit for Anchor[1], though possibly not > if I’ve misunderstood your use-case. > > [1] https://wiki.openstack.org/wiki/Security#Anchor_-_Ephemeral_PKI
Thanks, Robert. After talking a bit in the last OpenStack Security IRC meeting and doing a deep dive into Anchor, I'm not sure I'm looking for a CA that issues ephemeral certificates. For example, issuing ephemeral certificates for RabbitMQ or MySQL would involve frequent restarts of each service to apply new certificates on a regular basis (if I'm understanding Anchor correctly). I could see how this wouldn't be a big issue on a web/API front-end, like horizon, but it would definitely cause some disruptions for services that are slower to start, like RabbitMQ and MySQL. I found a CA role[1] for Ansible on Galaxy, but it appears to be GPLv3 code. :/ Another suggestion was to use Letsencrypt, but it's in a limited access period at the moment. It also supplies ephemeral certs, as Anchor does. The dogtag service looks interesting, but it has quite a few dependencies that may be a bit heavy resource-wise within the average openstack-ansible environment. I'm still on the hunt for a good solution but I appreciate the input so far! [1] https://github.com/debops/ansible-pki -- Major Hayden __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev