1.Generating Self-Signed Certificates 

  • Enable ssl by typing this command sudo a2enmod ssl 
  • Enabling ssl requires the apache2 service should be restarted, so restart apache by using this command service apache2 restart 
  • Create a directory for the Self-Signed certificate by using sudo mkdir /etc/ssl 
  • Generate Self-Signed Certificate by using the below command 
    sudo openssl req -x509 -nodes -days 365 –newkey rsa:2048 –keyout  /etc/ssl/client.key -out /etc/ssl/client.crt

             The above command generates client.key file and client.crt file  

  • Convert the generated files into pem format by using follwing commands  

             cat client.key > /etc/ssl/client-key.pem 

             cat client.crt > /etc/ssl/client-cert.pem 

  • Combine the client-key.pem and client-cert.pem by using this command cat client-key.pem client-cert.pem > client.pem                                                      
  • The client-key.pem is the keyfile and the client.pem is the certificate file for Self- signed certificate 
     

2.Configuring SSL in /etc/apache2/sites-available/defaultssl.conf 

3.Configuring Self-Signed Certificate for Keystone API Service endpoints 

  •  In /etc/apache2/sites-available/ location keystone.conf will be available,this file is used to configure Self-Signed Certificate for this endpoint. 
  •  Add the client.pem and client-key.pem in  <VirtualHost *:5000> and <VirtualHost *:35357> 

   Public endpoint:5000 

Admin endpoint:35357 

  • Now the Self-Signed Certificate configuration for keystone service API endpoints in done. 
  • After this, change the keystone endpoint url from http to https in admin-openrc and demo-openrc files and make the change in endpoints urls from http to https in Database or recreate the endpoints with https url and populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart the apache2 service. 
  • Check this service by issuing this command openstack token issue insecure 

Note:  –insecure should be added with the commands for skip the verification of Self-Signed Certificate 

4.Configuring Self-Signed Certificate for Glance API Service endpoints 

  • Update /etc/glance/glance-api.conf 

[DEFAULT] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • Update /etc/glance/glance-registry.conf 

[DEFAULT] 

cert_file = /etc/ssl/client.pem 

key_file = /etc/ssl/client-key.pem 

[keystone_authtoken] 

auth_uri = https://controller:5000 

auth_url = https://controller:35357 

certfile = /etc/ssl/client.pem 

keyfile = /etc/ssl/client-key.pem 

insecure = true 

  • After this, make the changes in endpoint urls from http to https in Database or recreate the endpoints with https url or recreate endpoints.Then, populate the keystone database by using this command su -s /bin/sh -c “keystone-manage db_sync” keystone and restart glance-api and glance-registry Services. 
  • Check this configuration by issuing this command OpenStack image list –insecure, After issuing this command the glance images will be listed  

we will see about Configuring Self-signed SSL for Nova (Compute Service) and Neutron (Networking Service) in Next Post

Posts created 11

6 thoughts on “Adding Self-Signed Certificate for Keystone and Glance API Service endpoints

  1. Fantastic beat ! I would like to apprentice while you amend your web site, how could i subscribe for a blog web site? The account helped me a acceptable deal. I had been a little bit acquainted of this your broadcast offered bright clear concept

  2. I’m really loving the theme/design of your web site. Do you ever run into any browser compatibility issues? A small number of my blog visitors have complained about my website not operating correctly in Explorer but looks great in Safari. Do you have any ideas to help fix this problem?

  3. I’m truly enjoying the design and layout of yoursite. It’s a very easy on the eyes which makes itmuch more enjoyable for me to come here and visit more often. Did you hire out adeveloper to create your theme? Superb work!

  4. Have you ever thought about creating an ebook or guest authoring on other sites?
    I have a blog based upon on the same topics you discuss and would really like to have you share some
    stories/information. I know my subscribers would appreciate your work.

    If you are even remotely interested, feel free to send me an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top