diff --git a/bin/create_certificates.sh b/bin/create_certificates.sh deleted file mode 100755 index 1f46bb0d59..0000000000 --- a/bin/create_certificates.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -# NOTE: This script should not be used for creating certificates in a -# deployment. It is only used for some testing jobs. -# Please follow the Octavia Certificate Configuration Guide when setting -# up a deployment. See: -# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html - -# USAGE: serial - - -echo "Create the CA's private and public keypair (2k long)" -openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048 - -echo "You will be asked to enter some information about the certificate." -openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \ - -config $OPEN_SSL_CONF \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ - -days $VALIDITY_DAYS \ - -out ca_01.pem - - -echo "Here is the certificate" -openssl x509 -in ca_01.pem -text -noout - - -## Create Server/Client CSR -echo "Generate a server key and a CSR" -openssl req \ - -newkey rsa:2048 -nodes -keyout client.key \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ - -out client.csr - -echo "Sign request" -openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \ - -days $VALIDITY_DAYS -out client-.pem -batch - -echo "Generate single pem client.pem" -cat client-.pem client.key > client.pem - -echo "Note: For production use the ca issuing the client certificate and the ca issuing the server" -echo "certificate need to be different so a hacker can't just use the server certificate from a" -echo "compromised amphora to control all the others." -echo "To use the certificates copy them to the directory specified in the octavia.conf" diff --git a/bin/create_dual_intermediate_CA.sh b/bin/create_dual_intermediate_CA.sh new file mode 100755 index 0000000000..254aa357d9 --- /dev/null +++ b/bin/create_dual_intermediate_CA.sh @@ -0,0 +1,161 @@ +#!/bin/bash + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!" +echo "Please use the Octavia Certificate Configuration guide:" +echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html" +echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + +# This script produces weak security PKI to save resources in the test gates. +# It should be modified to use stronger encryption (aes256), better pass +# phrases, and longer keys (4096). +# Please see the Octavia Certificate Configuration guide: +# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html + +set -x -e + +CA_PATH=dual_ca + +mkdir $CA_PATH +chmod 700 $CA_PATH +cd $CA_PATH + +mkdir -p etc/octavia/certs +chmod 700 etc/octavia/certs + +###### Client Root CA +mkdir client_ca +cd client_ca +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +# Create the client CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 private/ca.key.pem + +# Create the client CA root certificate +openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase + +###### Client Intermediate CA +mkdir intermediate_ca +mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private +chmod 700 intermediate_ca/private +touch intermediate_ca/index.txt +echo 1000 > intermediate_ca/serial + +# Create the client intermediate CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 intermediate_ca/private/intermediate.ca.key.pem + +# Create the client intermediate CA certificate signing request +openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase + +# Create the client intermediate CA certificate +openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch + +# Create the client CA certificate chain +cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem + +###### Create the client key and certificate +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 intermediate_ca/private/controller.key.pem + +# Create the client controller certificate signing request +openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase + +# Create the client controller certificate +openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch + +# Build the cancatenated client cert and key +openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase + +cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem + +# We are done with the client CA +cd .. + +###### Stash the octavia default client CA cert files +cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem +chmod 444 etc/octavia/certs/client_ca.cert.pem +cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem +chmod 600 etc/octavia/certs/client.cert-and-key.pem + +###### Server Root CA +mkdir server_ca +cd server_ca +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +# Create the server CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 private/ca.key.pem + +# Create the server CA root certificate +openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerRootCA" -passin pass:not-secure-passphrase + +###### Server Intermediate CA +mkdir intermediate_ca +mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private +chmod 700 intermediate_ca/private +touch intermediate_ca/index.txt +echo 1000 > intermediate_ca/serial + +# Create the server intermediate CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 intermediate_ca/private/intermediate.ca.key.pem + +# Create the server intermediate CA certificate signing request +openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/server_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerIntermediateCA" -passin pass:not-secure-passphrase + +# Create the server intermediate CA certificate +openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/server_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch + +# Create the server CA certificate chain +cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem + +# We are done with the server CA +cd .. + +###### Stash the octavia default server CA cert files +cp server_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca-chain.cert.pem +chmod 444 etc/octavia/certs/server_ca-chain.cert.pem +cp server_ca/intermediate_ca/certs/intermediate.cert.pem etc/octavia/certs/server_ca.cert.pem +chmod 400 etc/octavia/certs/server_ca.cert.pem +cp server_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem +chmod 400 etc/octavia/certs/server_ca.key.pem + +##### Validate the Octavia PKI files +set +x +echo "################# Verifying the Octavia files ###########################" +openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem +openssl verify -CAfile etc/octavia/certs/server_ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem + +echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!" +echo "Please use the Octavia Certificate Configuration guide:" +echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html" +echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" diff --git a/bin/create_single_CA_intermediate_CA.sh b/bin/create_single_CA_intermediate_CA.sh new file mode 100755 index 0000000000..2c6d19b572 --- /dev/null +++ b/bin/create_single_CA_intermediate_CA.sh @@ -0,0 +1,116 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!" +echo "Single CA mode is insecure, do not use this! It is for testing only." +echo "Please use the Octavia Certificate Configuration guide:" +echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html" +echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + +# This script produces weak security PKI to save resources in the test gates. +# A single CA should never be used in a production deployment. This script +# exists purely to test legacy migrations / deployments where someone +# acidently used a single CA. + +set -x -e + +CA_PATH=single_ca + +mkdir $CA_PATH +chmod 700 $CA_PATH +cd $CA_PATH + +mkdir -p etc/octavia/certs +chmod 700 etc/octavia/certs + +###### Client Root CA +mkdir client_ca +cd client_ca +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial + +# Create the client CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 private/ca.key.pem + +# Create the client CA root certificate +openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase + +###### Client Intermediate CA +mkdir intermediate_ca +mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private +chmod 700 intermediate_ca/private +touch intermediate_ca/index.txt +echo 1000 > intermediate_ca/serial + +# Create the client intermediate CA private key +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 intermediate_ca/private/intermediate.ca.key.pem + +# Create the client intermediate CA certificate signing request +openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase + +# Create the client intermediate CA certificate +openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch + +# Create the client CA certificate chain +cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem + +###### Create the client key and certificate +# Note: This uses short key lengths to save entropy in the test gates. +# This is not recommended for deployment use! +openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024 +chmod 400 intermediate_ca/private/controller.key.pem + +# Create the client controller certificate signing request +openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase + +# Create the controller client certificate +openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch + +# Build the cancatenated client cert and key +openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase + +cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem + +# We are done with the client CA +cd .. + +###### Stash the octavia default cert files +cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem +chmod 444 etc/octavia/certs/client_ca.cert.pem +cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem +chmod 600 etc/octavia/certs/client.cert-and-key.pem +cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem +chmod 444 etc/octavia/certs/server_ca.cert.pem +cp client_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem +chmod 600 etc/octavia/certs/server_ca.key.pem + +##### Validate the Octavia PKI files +set +x +echo "################# Verifying the Octavia files ###########################" +openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem +openssl verify -CAfile etc/octavia/certs/server_ca.cert.pem etc/octavia/certs/server_ca.cert.pem + +echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!" +echo "Single CA mode is insecure, do not use this! It is for testing only." +echo "Please use the Octavia Certificate Configuration guide:" +echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html" +echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" diff --git a/bin/openssl.cnf b/bin/openssl.cnf new file mode 100644 index 0000000000..fe4cdb4334 --- /dev/null +++ b/bin/openssl.cnf @@ -0,0 +1,144 @@ +# OpenSSL root CA configuration file. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ./ +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/ca.key.pem +certificate = $dir/certs/ca.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +# 10 years +default_days = 7300 +preserve = no +policy = policy_strict + +[ CA_intermediate ] +# Directory and file locations. +dir = ./intermediate_ca +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = ./private/ca.key.pem +certificate = ./certs/ca.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +# 5 years +default_days = 3650 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = US +stateOrProvinceName_default = Oregon +localityName_default = Corvallis +0.organizationName_default = OpenStack +organizationalUnitName_default = Octavia +emailAddress_default = +commonName_default = example.org + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 2f0de6fe2b..9021bb692f 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -336,14 +336,26 @@ function octavia_configure { if [[ "$(trueorfalse False OCTAVIA_USE_PREGENERATED_CERTS)" == "True" ]]; then cp -rfp ${OCTAVIA_PREGENERATED_CERTS_DIR} ${OCTAVIA_CERTS_DIR} else - source $OCTAVIA_DIR/bin/create_certificates.sh $OCTAVIA_CERTS_DIR $OCTAVIA_DIR/etc/certificates/openssl.cnf + pushd $OCTAVIA_DIR/bin + source create_dual_intermediate_CA.sh + mkdir -p ${OCTAVIA_CERTS_DIR}/private + chmod 700 ${OCTAVIA_CERTS_DIR}/private + cp -p etc/octavia/certs/server_ca.cert.pem ${OCTAVIA_CERTS_DIR}/ + cp -p etc/octavia/certs/server_ca-chain.cert.pem ${OCTAVIA_CERTS_DIR}/ + cp -p etc/octavia/certs/server_ca.key.pem ${OCTAVIA_CERTS_DIR}/private/ + cp -p etc/octavia/certs/client_ca.cert.pem ${OCTAVIA_CERTS_DIR}/ + cp -p etc/octavia/certs/client.cert-and-key.pem ${OCTAVIA_CERTS_DIR}/private/ + popd fi - iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/client.pem - iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/ca_01.pem - iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/ca_01.pem - iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/cakey.pem - iniset $OCTAVIA_CONF certificates ca_private_key_passphrase foobar + iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/server_ca.cert.pem + iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/server_ca.key.pem + iniset $OCTAVIA_CONF certificates ca_private_key_passphrase not-secure-passphrase + iniset $OCTAVIA_CONF controller_worker client_ca ${OCTAVIA_CERTS_DIR}/client_ca.cert.pem + iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/private/client.cert-and-key.pem + iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/server_ca-chain.cert.pem + + # Controller side symmetric encryption, not used for PKI iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then diff --git a/devstack/pregenerated/certs/client.key b/devstack/pregenerated/certs/client.key deleted file mode 100644 index b0649b6a0c..0000000000 --- a/devstack/pregenerated/certs/client.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTVy+pO8vjce/b -QvCvyFiVOWWTSNfAcdtrEZU8kgH61jLtg1Omtz/x9LplQvC2U2lIlAiuLPWAUyTg -mDEhdOP178h3doCJAlKfnWnwseWDVW/s3arnkgnRoRfkzEJpE4JCPHHi1OgiX7F0 -ySwxCnBcQvd30eF2g4/xogYgVePq+mVcg4l+MiCLRSpRCzTx9XcVe/zwbeQ0fVSO -ivMKpvF/1mUrs++CFzGX9HFfZ9eAEdVDgi8PTjlJRQyojhopek6/lMivQi+fu+lD -GPOmmujIrevfLJT+K6dgJ/y4GjwubvNgUecMU3DeiLZtbGohFwoX0+WU/BN5M49t -54m3Zn4pAgMBAAECggEAZu5MwUDlYaZJauHkdci/FBa7WQueQRVzB2et5q06F6Ah -d7qBkG4pz78g1VbQBA0F9xpaS/KLs29LQ7P8Ic5bhJm/aiemHJSsBx9UzKzoGpoP -BC9GILjo3Vd3WrD9G04sH/Ruh0qosK0osbeVNWFfLiBThOEMzXrwLYB7OV57viJI -4YAXGOzOgK3aMHF8cYRRgTDIi2dGAMH1EyIIB8gKYlp1PdMmaTOk2LBhechuImRX -4LgvM1fUdJ7utyQKEXMJEg+wzV9BMlX6nvM3vVWdYZy2Hsu9DDyJUFYQk9cDpXNP -RF4jjLUtz6gEZOlotOQgPWqLANJrt/BdVfyeA97psQKBgQD7SeNlQd2bu8GfH0vB -mjzSWmJ3nDnpeaUR9MIYVQ6zNlvYPjM2BMVQtE5+VWK15YOjD5L9SoresNKubrSv -wzNFeqf6Dvq7zJ+6Rkst7GcRV/P3D4C3ZeKeDNjVm4eMRCa5ttIJlLmfqffeLO9M -RSanNjnjwWENgsXCCvlVBfc9ZQKBgQDXTY8X9ug9xVlqBR4TMfzXBadzP+nDqYd9 -MkH3tEltLba0vP4vKyjQa8A9FMzSRr9bv13mNpAbFEDGnhzv1l5OlHTM6tG//Rxq -nnhmFLFWZl8WowP0LiPTafrDjGEX/7iDAJjAtSacBBm6EGaM8igWEQT0WXwsQbTw -rlRolJ5DdQKBgQDgMBJ80x+IAiGC+iPXLOjYbqTsu2d7YfigJXJIzRHZV0Tnjs6X -gfgbwVFKKplvWL1xa8Ki0a9FcBH2Z3QyXv9OHFjiohyWEb/rKy2FYiSt938Dy0P1 -2yMsCKAnKqPqwx6dj3qh65sT1Er8X7B6pjMO+TT6ehtBN4uBS9MYRMNIdQKBgQDU -6UztTOzDUSqn7mGcZ916IYxDK1wXcsmapB2aQD4wanl4aEEREiQtX7DednhKJU5N -A4RvCVweezvHbkp9Xscp/CM5FanQqxPz17yGbkYkg93au+BIE2y4P+CMioDlw6uK -WQe14i5JMMDkQB25mirMD46PuQJTnbK6JBsyxG1xlQKBgGtcSY0AyVq00p0kkxNm -KhzI+17T0j0CuczJ/X+NvCUjLsx3NTJatRkJNYHWG7jUqs1vvtZbHVspQeteMlEi -rNE/xz98iG2eC8AdW+TmZvySmIZgoAoPuopUvBzRiyfLQVh4pPuikbTDghEn+CSG -WSyOd/I4JsH4xQFJC89nnm5M ------END PRIVATE KEY----- diff --git a/devstack/pregenerated/certs/ca_01.pem b/devstack/pregenerated/certs/client_ca.cert.pem similarity index 100% rename from devstack/pregenerated/certs/ca_01.pem rename to devstack/pregenerated/certs/client_ca.cert.pem diff --git a/devstack/pregenerated/certs/private/cakey.pem b/devstack/pregenerated/certs/private/cakey.pem deleted file mode 100644 index 882df95b14..0000000000 --- a/devstack/pregenerated/certs/private/cakey.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,F5D5CAF138266C5C - -X7mebmQYgOOgOLi5ec7+kxrDzP5PqD4A2b4dph1qEoVEcwKEcVicrPdDtLeHReO4 -W5WpyJxqUIIHZZWmvCy08tX151/BJYzmDbF5gGf0c2Q7V0Mnfvkn4G01apIxXMXB -kD4NIL3UB+4D2xmWv7s+PK+T4uNsO9gotUoABc5s4sNDsl7Jbgozo14T8oZkGVot -GrS1PpTes4GiIwmmlBzrtO+0Y0Yv5tzJrdkz047nXur+1n4YNj87Ui6R3O/crFmI -cf+L8NefqihmW2qR1deTSozg1oMv3RaZdMsxNDYLcF+4o+18buAHCr//NU71eVIZ -/P4XrIQQAyLi8u5W/5dFH9FEnNtBz0AJlBpLpKb7O3ZdQ18/UATbdaRrb4cqocEH -PTEEUTWRf1/5DhT+AXryI3Op0yxEZlVQu/IbEAgiV3wvx5Cof75Hm0m0rtFdnNBc -L2IA+3+75HGRt/zljh7ByGcui0dQA7i6thDc+qxz4WpcUx10Y9Dn2V5DueWunez+ -kjwRsahervPoaRRL+MuP43B1w4HPDCPOuTDO35TXivSFHz/mFGJ5GOy+iMPddFMa -RYWlDGkruz4poQ1zXQ2d4Q6wXSFiihU78a/0af8IhjofqAxUA91bC6oBF6OYGXZT -9cKfK1TUPVQITH2VLcJLxRf+Q4Zgc7gYJqEnh8dJ0lpMAgSkgyQDE0p0ttakj0Xv -ombZq+7SDSUYnItcPARLe2FWhsihZfu7W6f9fWQcXAv7dYG/opB5yquXaE+96eCO -1eGc0VttBauW+r87fAJtfm3XgwfrrGwDglcmo5JmaBWRSkxdLn6xPP1pAfGj2jQQ -EhWhIcbFgnGPhPSWpYMpeE8RdgO0R7Hno10scF5j/t3JPE5pfBOAGmyBsOdWW4TT -UfICuZ6UznNYtaWcXSrUNXETMFjrDaHoXZ50bG1FMZKA1YCz6QnoE4w42nBTVLj9 -90K+h3mVLqD/5qA8UYZYUuKn+e7w3xY4dRLAXExfB/33kb3A3jjjHYqVTpFXV6Of -0EAa/BDeGpkWElTmIgjN7VN+1rUDXgLMJ62M/fEkICTM1tSYLKFUdntGQ3YfzYX6 -LHB5BWsrlPFc2a8OXUCu5tvtm387W8X80eMb97e0A501q5P2Wxv/XcuPgVlx5JQP -37nqFDEtqGJoOE1LC5xZVzisNk7QVh6r0N3tGVeyE/bE0nvOYr/Zw8SVmwqNr8/I -jQspeH48uAudQ/lZ8aFUFpj7bm2Ie8ka2QqZAhPMDHy2Y8zf0obNB/RTG/SHSdMc -j2jdL1cUPcPOG+c2yLsgap+lpFpHZgeiTFY9775F3ODrADOiS2k5XkQCTz/n/Z3z -QOhz2T1RM8aa+xjk33YFJyVfYKQGEXfQwJ/RSJjMglDsJSE+py1ZPj4TzYnXfcjr -f26ReNcqL1/0sTSMf14OIKYEBNN8L4zQHX8BWY8EhPc8qBxspJQzH8imbNYb0x/M -+X0kZJbsEpO5JRD70KOoOM8vmStAglWTbbt9JLDjL98Ks54+Si9fgGql8njyo96V -vwNihqd8kqEk9STXKwJZzmkXvcs8WDuFUuLDtQYjk6GMT17e10TgmA== ------END RSA PRIVATE KEY----- diff --git a/devstack/pregenerated/certs/client.pem b/devstack/pregenerated/certs/private/client.cert-and-key.pem similarity index 100% rename from devstack/pregenerated/certs/client.pem rename to devstack/pregenerated/certs/private/client.cert-and-key.pem diff --git a/devstack/pregenerated/certs/private/server_ca.key.pem b/devstack/pregenerated/certs/private/server_ca.key.pem new file mode 100644 index 0000000000..757c97881f --- /dev/null +++ b/devstack/pregenerated/certs/private/server_ca.key.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,B6C2D5A9657E9635BE06551CAD6EF969 + +N90cGt5rEntmiPvIAQwbO9W02blpDRZLJYMJeqttqxttnq6+InYQL3M4nJmR8XVz +/bCjWhMQlh5kEKzBtjhu5xFXqYhF3q9UcA6/13VY4gicrSHwwpoVLP0X2IXFp6ub +t4haSggaH6F2ZxF9DJCVG6+GyqOpuTPlGD4QiEf40NTo7x2H+JCEveLsIaSUljTV +W/XZDk1RSo8hMpr+huqCQOZxfhEuM76gSK8wPW3nCzVoBMCk/1RpMcXq8A7FT9gd +0V+2jwucDPOEVrTLmYjh/Aln6ATdte2l/b9XKPnAoVW6psYw83pu2hXtjgfCI+ey +IbRvzJ9djPvx0qhEu/EQIcKLFfNt/+OExm7rce8+O6NcB1x+bFbvCLamPYQxtcjE +xjqOWD0QT+VtIdqnG631jctN2mocmhVWfmp6le1RlkwfKSsbS1lb6Lcj/TasTlai +5c6hfYB83drlJUw0374PuWn8Tb62HGaROK8JEG07CcgNT1l8KXHrCpLzwEQvRtP+ +Bze+mlbjScm21ny280huQz5hiNdDrH9q/YzVHcHEVICAnimEsZeaQCyEt0Um9h56 +gvTZ6Udh/SeetBsL77hQ3EwDYs2nNdacaOIu5tASrfdMXWdSiLiNR8zK7y7x4a0b +GrgrerYJPWdb2axy4rrhzzlPRTHCJL1gA/E3CYC5mObk07tCMoQt7Ak3dofto9jG +1CSRLGqbP31k7tXBOLCwNAYekQkDWRQV4u0vf2aWJdLjxLwiX7424E6p/cvaUi5B +Sv+Iit3Zuee7Tq6DK0rv+5oWZmyfC/rzHcqmAMUhnjfBBlcI1N22BrBEBpfX6zq1 +DnIwiS9ayJMzaExSS+tBuqoHuoLMo2Fn++NpYxIUrwtQBvAD1Qxqx6QacTGFK025 +UpyV/ML+FdENujwU6KYYdciHX3E7nU4UYC/qwT7u9B/k3OiTS37GSlnz4ZkU34cF +UiBcN2gXqYYxsonD37vUX40oTjrQYaQJbWcGgcyNw7Z5U4GV7t1ZFcxNBuE485pE +jqZiDkeP5zmk+r9AB7djUpcowQ0TpPs1SthPsllv/LidusA8DwmeGp063fa1wScv +gH6iJ40HRc7ffwN4ikk409L8awjpSA+HyXC+BsjIaG9uyaoy6XpjjQHrl/kZgeS2 +Nm3wvq00OFKYLi8UgmXlrRNMyNc/osTSAesdJeaiNHUM/+nrdTL1SaOvht/6i07B +bG7Vqv3LtpWvd8fDhSPR/1eiBaYBzDJ+jx25oX5Wbv4/AbsG5/BEgfrBJnMddPyv +Y8X6LY3IpUqRx1sf1L3ia3YxWp5r3bfcCQvVL0W6brEKxbw8BTHFrS3qaBOOfLrC +XuiMKEUcSlexxYnYcJr1RnBYQ4HqcAOCbqQAhXqFv5nge+5gSskP8MS/FtGZ0+nm +wi2ak3WmZbpr08mVnjHVhhxnuuVm7esYhNJLwXvSITXfUPPgpjvzYe0ABLdtWVuo +s4NsU/1XG33I4r+gnrHQyFxsgaZ3rr5VpcbTHLzDzBgTRWk06AZB/nxyfAexE67U +VHRL+4FP+ee5CxpWkT8i0/n2PJ/U/42+pglZmxEzIw76PqcT0aqmnpSwsEnnMH0w +-----END RSA PRIVATE KEY----- diff --git a/devstack/pregenerated/certs/server_ca-chain.cert.pem b/devstack/pregenerated/certs/server_ca-chain.cert.pem new file mode 100644 index 0000000000..0b9e837abf --- /dev/null +++ b/devstack/pregenerated/certs/server_ca-chain.cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV +BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww +CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx +MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM +BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG +A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e +VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1 +Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ +KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC +oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O +tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky +aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg +Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc +CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD +Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ +3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH +/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1 +VA== +-----END CERTIFICATE----- diff --git a/devstack/pregenerated/certs/server_ca.cert.pem b/devstack/pregenerated/certs/server_ca.cert.pem new file mode 100644 index 0000000000..0b9e837abf --- /dev/null +++ b/devstack/pregenerated/certs/server_ca.cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV +BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww +CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx +MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM +BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG +A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e +VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1 +Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ +KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC +oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O +tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky +aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg +Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc +CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD +Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ +3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH +/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1 +VA== +-----END CERTIFICATE-----