Use dual intermediate CAs for devstack

This patch updates the devstack plugin to use a dual Certificate Authority (CA) with intermediate CAs for the Octavia controller deployment. This is a more realistic deployment model for testing. Note: This change uses weak security to save gate resources. Please refer to the Octavia Certificate Configuration Guide for production instructions. Change-Id: I3ec135766c9a1ddb7ac6655c0ee1ccb1e78ead5c
2019-08-27 10:51:52 -07:00
parent 9ec9859bbf
commit 950faea6e9
12 changed files with 513 additions and 167 deletions
--- a/bin/create_certificates.sh
+++ b/bin/create_certificates.sh
@@ -1,103 +0,0 @@
 #!/bin/bash
 # NOTE: This script should not be used for creating certificates in a
 # deployment. It is only used for some testing jobs.
 # Please follow the Octavia Certificate Configuration Guide when setting
 # up a deployment. See:
 # https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
 # USAGE: <certificate directory> <openssl.cnf (example in etc/certificate)
 #Those are certificates for testing will be generated
 #
 #* ca_01.pem is a certificate authority file
 #* server.pem combines a key and a cert from this certificate authority
 #* client.key the client key
 #* client.pem the client certificate
 #
 #You will need to copy them to places the agent_api server/client can find and
 #specify it in the config.
 #
 #Example for client use:
 #
 #curl -k -v --key client.key --cacert ca_01.pem --cert client.pem https://0.0.0.0:9443/
 #
 #
 #Notes:
 #For production use the ca issuing the client certificate and the ca issuing the server cetrificate
 #need to be different so a hacker can't just use the server certificate from a compromised amphora
 #to control all the others.
 #
 #Sources:
 #* https://communities.bmc.com/community/bmcdn/bmc_atrium_and_foundation_technologies/
 #discovery/blog/2014/09/03/the-pulse-create-your-own-personal-ca-with-openssl
 #  This describes how to create a CA and sign requests
 #* https://www.digitalocean.com/community/tutorials/
 #openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs -
 #how to issue csr and much more
 ## Create CA
 # Create directories
 CERT_DIR=$1
 OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf
 VALIDITY_DAYS=${3:-18250} # defaults to 50 years
 echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
 echo "Please use the Octavia Certificate Configuration guide:"
 echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 echo $CERT_DIR
 mkdir -p $CERT_DIR
 cd $CERT_DIR
 if [[ $? -ne 0 ]]; then
    echo "Failed to change to $CERT_DIR. Check the existence and permission"
    exit 1
 fi
 mkdir newcerts private
 if [[ $? -ne 0 ]]; then
    echo "Failed to create directories. Check the permission"
    exit 1
 fi
 chmod 700 private
 # prepare files
 touch index.txt
 echo 01 > serial
 echo "Create the CA's private and public keypair (2k long)"
 openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048
 echo "You will be asked to enter some information about the certificate."
 openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \
        -config $OPEN_SSL_CONF \
        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
        -days $VALIDITY_DAYS \
        -out ca_01.pem
 echo "Here is the certificate"
 openssl x509 -in ca_01.pem -text -noout
 ## Create Server/Client CSR
 echo "Generate a server key and a CSR"
 openssl req \
       -newkey rsa:2048 -nodes -keyout client.key \
       -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
       -out client.csr
 echo "Sign request"
 openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \
           -days $VALIDITY_DAYS -out client-.pem -batch
 echo "Generate single pem client.pem"
 cat client-.pem client.key > client.pem
 echo "Note: For production use the ca issuing the client certificate and the ca issuing the server"
 echo "certificate need to be different so a hacker can't just use the server certificate from a"
 echo "compromised amphora to control all the others."
 echo "To use the certificates copy them to the directory specified in the octavia.conf"
--- a/bin/create_dual_intermediate_CA.sh
+++ b/bin/create_dual_intermediate_CA.sh
@@ -0,0 +1,161 @@
 #!/bin/bash
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
 echo "Please use the Octavia Certificate Configuration guide:"
 echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 # This script produces weak security PKI to save resources in the test gates.
 # It should be modified to use stronger encryption (aes256), better pass
 # phrases, and longer keys (4096).
 # Please see the Octavia Certificate Configuration guide:
 # https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
 set -x -e
 CA_PATH=dual_ca
 mkdir $CA_PATH
 chmod 700 $CA_PATH
 cd $CA_PATH
 mkdir -p etc/octavia/certs
 chmod 700 etc/octavia/certs
 ###### Client Root CA
 mkdir client_ca
 cd client_ca
 mkdir certs crl newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial
 # Create the client CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 private/ca.key.pem
 # Create the client CA root certificate
 openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
 ###### Client Intermediate CA
 mkdir intermediate_ca
 mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
 chmod 700 intermediate_ca/private
 touch intermediate_ca/index.txt
 echo 1000 > intermediate_ca/serial
 # Create the client intermediate CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 intermediate_ca/private/intermediate.ca.key.pem
 # Create the client intermediate CA certificate signing request
 openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
 # Create the client intermediate CA certificate
 openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
 # Create the client CA certificate chain
 cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
 ###### Create the client key and certificate
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 intermediate_ca/private/controller.key.pem
 # Create the client controller certificate signing request
 openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
 # Create the client controller certificate
 openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
 # Build the cancatenated client cert and key
 openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
 cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
 # We are done with the client CA
 cd ..
 ###### Stash the octavia default client CA cert files
 cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
 chmod 444 etc/octavia/certs/client_ca.cert.pem
 cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
 chmod 600 etc/octavia/certs/client.cert-and-key.pem
 ###### Server Root CA
 mkdir server_ca
 cd server_ca
 mkdir certs crl newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial
 # Create the server CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 private/ca.key.pem
 # Create the server CA root certificate
 openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerRootCA" -passin pass:not-secure-passphrase
 ###### Server Intermediate CA
 mkdir intermediate_ca
 mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
 chmod 700 intermediate_ca/private
 touch intermediate_ca/index.txt
 echo 1000 > intermediate_ca/serial
 # Create the server intermediate CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 intermediate_ca/private/intermediate.ca.key.pem
 # Create the server intermediate CA certificate signing request
 openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/server_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerIntermediateCA" -passin pass:not-secure-passphrase
 # Create the server intermediate CA certificate
 openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/server_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
 # Create the server CA certificate chain
 cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
 # We are done with the server CA
 cd ..
 ###### Stash the octavia default server CA cert files
 cp server_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca-chain.cert.pem
 chmod 444 etc/octavia/certs/server_ca-chain.cert.pem
 cp server_ca/intermediate_ca/certs/intermediate.cert.pem etc/octavia/certs/server_ca.cert.pem
 chmod 400 etc/octavia/certs/server_ca.cert.pem
 cp server_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
 chmod 400 etc/octavia/certs/server_ca.key.pem
 ##### Validate the Octavia PKI files
 set +x
 echo "################# Verifying the Octavia files ###########################"
 openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
 openssl verify -CAfile etc/octavia/certs/server_ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
 echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
 echo "Please use the Octavia Certificate Configuration guide:"
 echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
--- a/bin/create_single_CA_intermediate_CA.sh
+++ b/bin/create_single_CA_intermediate_CA.sh
@@ -0,0 +1,116 @@
 #!/bin/bash
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
 echo "Single CA mode is insecure, do not use this! It is for testing only."
 echo "Please use the Octavia Certificate Configuration guide:"
 echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 # This script produces weak security PKI to save resources in the test gates.
 # A single CA should never be used in a production deployment. This script
 # exists purely to test legacy migrations / deployments where someone
 # acidently used a single CA.
 set -x -e
 CA_PATH=single_ca
 mkdir $CA_PATH
 chmod 700 $CA_PATH
 cd $CA_PATH
 mkdir -p etc/octavia/certs
 chmod 700 etc/octavia/certs
 ###### Client Root CA
 mkdir client_ca
 cd client_ca
 mkdir certs crl newcerts private
 chmod 700 private
 touch index.txt
 echo 1000 > serial
 # Create the client CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 private/ca.key.pem
 # Create the client CA root certificate
 openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
 ###### Client Intermediate CA
 mkdir intermediate_ca
 mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
 chmod 700 intermediate_ca/private
 touch intermediate_ca/index.txt
 echo 1000 > intermediate_ca/serial
 # Create the client intermediate CA private key
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 intermediate_ca/private/intermediate.ca.key.pem
 # Create the client intermediate CA certificate signing request
 openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
 # Create the client intermediate CA certificate
 openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
 # Create the client CA certificate chain
 cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
 ###### Create the client key and certificate
 # Note: This uses short key lengths to save entropy in the test gates.
 #       This is not recommended for deployment use!
 openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
 chmod 400 intermediate_ca/private/controller.key.pem
 # Create the client controller certificate signing request
 openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
 # Create the controller client certificate
 openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
 # Build the cancatenated client cert and key
 openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
 cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
 # We are done with the client CA
 cd ..
 ###### Stash the octavia default cert files
 cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
 chmod 444 etc/octavia/certs/client_ca.cert.pem
 cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
 chmod 600 etc/octavia/certs/client.cert-and-key.pem
 cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
 chmod 444 etc/octavia/certs/server_ca.cert.pem
 cp client_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
 chmod 600 etc/octavia/certs/server_ca.key.pem
 ##### Validate the Octavia PKI files
 set +x
 echo "################# Verifying the Octavia files ###########################"
 openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
 openssl verify -CAfile etc/octavia/certs/server_ca.cert.pem etc/octavia/certs/server_ca.cert.pem
 echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
 echo "Single CA mode is insecure, do not use this! It is for testing only."
 echo "Please use the Octavia Certificate Configuration guide:"
 echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
 echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
--- a/bin/openssl.cnf
+++ b/bin/openssl.cnf
@@ -0,0 +1,144 @@
 # OpenSSL root CA configuration file.
 [ ca ]
 # `man ca`
 default_ca = CA_default
 [ CA_default ]
 # Directory and file locations.
 dir               = ./
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/private/.rand
 # The root key and root certificate.
 private_key       = $dir/private/ca.key.pem
 certificate       = $dir/certs/ca.cert.pem
 # For certificate revocation lists.
 crlnumber         = $dir/crlnumber
 crl               = $dir/crl/ca.crl.pem
 crl_extensions    = crl_ext
 default_crl_days  = 30
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha256
 name_opt          = ca_default
 cert_opt          = ca_default
 # 10 years
 default_days      = 7300
 preserve          = no
 policy            = policy_strict
 [ CA_intermediate ]
 # Directory and file locations.
 dir               = ./intermediate_ca
 certs             = $dir/certs
 crl_dir           = $dir/crl
 new_certs_dir     = $dir/newcerts
 database          = $dir/index.txt
 serial            = $dir/serial
 RANDFILE          = $dir/private/.rand
 # The root key and root certificate.
 private_key       = ./private/ca.key.pem
 certificate       = ./certs/ca.cert.pem
 # For certificate revocation lists.
 crlnumber         = $dir/crlnumber
 crl               = $dir/crl/ca.crl.pem
 crl_extensions    = crl_ext
 default_crl_days  = 30
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md        = sha256
 name_opt          = ca_default
 cert_opt          = ca_default
 # 5 years
 default_days      = 3650
 preserve          = no
 policy            = policy_strict
 [ policy_strict ]
 # The root CA should only sign intermediate certificates that match.
 # See the POLICY FORMAT section of `man ca`.
 countryName             = match
 stateOrProvinceName     = match
 organizationName        = match
 organizationalUnitName  = optional
 commonName              = supplied
 emailAddress            = optional
 [ req ]
 # Options for the `req` tool (`man req`).
 default_bits        = 2048
 distinguished_name  = req_distinguished_name
 string_mask         = utf8only
 # SHA-1 is deprecated, so use SHA-2 instead.
 default_md          = sha256
 # Extension to add when the -x509 option is used.
 x509_extensions     = v3_ca
 [ req_distinguished_name ]
 # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
 countryName                     = Country Name (2 letter code)
 stateOrProvinceName             = State or Province Name
 localityName                    = Locality Name
 0.organizationName              = Organization Name
 organizationalUnitName          = Organizational Unit Name
 commonName                      = Common Name
 emailAddress                    = Email Address
 # Optionally, specify some defaults.
 countryName_default             = US
 stateOrProvinceName_default     = Oregon
 localityName_default            = Corvallis
 0.organizationName_default      = OpenStack
 organizationalUnitName_default  = Octavia
 emailAddress_default            =
 commonName_default              = example.org
 [ v3_ca ]
 # Extensions for a typical CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 [ v3_intermediate_ca ]
 # Extensions for a typical intermediate CA (`man x509v3_config`).
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
 basicConstraints = critical, CA:true, pathlen:0
 keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 [ usr_cert ]
 # Extensions for client certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
 nsCertType = client, email
 nsComment = "OpenSSL Generated Client Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer
 keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = clientAuth, emailProtection
 [ server_cert ]
 # Extensions for server certificates (`man x509v3_config`).
 basicConstraints = CA:FALSE
 nsCertType = server
 nsComment = "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid,issuer:always
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
 [ crl_ext ]
 # Extension for CRLs (`man x509v3_config`).
 authorityKeyIdentifier=keyid:always
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -335,14 +335,26 @@ function octavia_configure {
    if [[ "$(trueorfalse False OCTAVIA_USE_PREGENERATED_CERTS)" == "True" ]]; then
        cp -rfp ${OCTAVIA_PREGENERATED_CERTS_DIR} ${OCTAVIA_CERTS_DIR}
    else
-        source $OCTAVIA_DIR/bin/create_certificates.sh $OCTAVIA_CERTS_DIR $OCTAVIA_DIR/etc/certificates/openssl.cnf
+        pushd $OCTAVIA_DIR/bin
        source create_dual_intermediate_CA.sh
        mkdir -p ${OCTAVIA_CERTS_DIR}/private
        chmod 700 ${OCTAVIA_CERTS_DIR}/private
        cp -p etc/octavia/certs/server_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
        cp -p etc/octavia/certs/server_ca-chain.cert.pem ${OCTAVIA_CERTS_DIR}/
        cp -p etc/octavia/certs/server_ca.key.pem ${OCTAVIA_CERTS_DIR}/private/
        cp -p etc/octavia/certs/client_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
        cp -p etc/octavia/certs/client.cert-and-key.pem ${OCTAVIA_CERTS_DIR}/private/
        popd
    fi
-    iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/client.pem
+    iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/server_ca.cert.pem
-    iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/ca_01.pem
+    iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/server_ca.key.pem
-    iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/ca_01.pem
+    iniset $OCTAVIA_CONF certificates ca_private_key_passphrase not-secure-passphrase
-    iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/cakey.pem
+    iniset $OCTAVIA_CONF controller_worker client_ca ${OCTAVIA_CERTS_DIR}/client_ca.cert.pem
-    iniset $OCTAVIA_CONF certificates ca_private_key_passphrase foobar
+    iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/private/client.cert-and-key.pem
    iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/server_ca-chain.cert.pem
    # Controller side symmetric encryption, not used for PKI
    iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
    if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then
--- a/devstack/pregenerated/certs/client.key
+++ b/devstack/pregenerated/certs/client.key
@@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTVy+pO8vjce/b
 QvCvyFiVOWWTSNfAcdtrEZU8kgH61jLtg1Omtz/x9LplQvC2U2lIlAiuLPWAUyTg
 mDEhdOP178h3doCJAlKfnWnwseWDVW/s3arnkgnRoRfkzEJpE4JCPHHi1OgiX7F0
 ySwxCnBcQvd30eF2g4/xogYgVePq+mVcg4l+MiCLRSpRCzTx9XcVe/zwbeQ0fVSO
 ivMKpvF/1mUrs++CFzGX9HFfZ9eAEdVDgi8PTjlJRQyojhopek6/lMivQi+fu+lD
 GPOmmujIrevfLJT+K6dgJ/y4GjwubvNgUecMU3DeiLZtbGohFwoX0+WU/BN5M49t
 54m3Zn4pAgMBAAECggEAZu5MwUDlYaZJauHkdci/FBa7WQueQRVzB2et5q06F6Ah
 d7qBkG4pz78g1VbQBA0F9xpaS/KLs29LQ7P8Ic5bhJm/aiemHJSsBx9UzKzoGpoP
 BC9GILjo3Vd3WrD9G04sH/Ruh0qosK0osbeVNWFfLiBThOEMzXrwLYB7OV57viJI
 4YAXGOzOgK3aMHF8cYRRgTDIi2dGAMH1EyIIB8gKYlp1PdMmaTOk2LBhechuImRX
 4LgvM1fUdJ7utyQKEXMJEg+wzV9BMlX6nvM3vVWdYZy2Hsu9DDyJUFYQk9cDpXNP
 RF4jjLUtz6gEZOlotOQgPWqLANJrt/BdVfyeA97psQKBgQD7SeNlQd2bu8GfH0vB
 mjzSWmJ3nDnpeaUR9MIYVQ6zNlvYPjM2BMVQtE5+VWK15YOjD5L9SoresNKubrSv
 wzNFeqf6Dvq7zJ+6Rkst7GcRV/P3D4C3ZeKeDNjVm4eMRCa5ttIJlLmfqffeLO9M
 RSanNjnjwWENgsXCCvlVBfc9ZQKBgQDXTY8X9ug9xVlqBR4TMfzXBadzP+nDqYd9
 MkH3tEltLba0vP4vKyjQa8A9FMzSRr9bv13mNpAbFEDGnhzv1l5OlHTM6tG//Rxq
 nnhmFLFWZl8WowP0LiPTafrDjGEX/7iDAJjAtSacBBm6EGaM8igWEQT0WXwsQbTw
 rlRolJ5DdQKBgQDgMBJ80x+IAiGC+iPXLOjYbqTsu2d7YfigJXJIzRHZV0Tnjs6X
 gfgbwVFKKplvWL1xa8Ki0a9FcBH2Z3QyXv9OHFjiohyWEb/rKy2FYiSt938Dy0P1
 2yMsCKAnKqPqwx6dj3qh65sT1Er8X7B6pjMO+TT6ehtBN4uBS9MYRMNIdQKBgQDU
 6UztTOzDUSqn7mGcZ916IYxDK1wXcsmapB2aQD4wanl4aEEREiQtX7DednhKJU5N
 A4RvCVweezvHbkp9Xscp/CM5FanQqxPz17yGbkYkg93au+BIE2y4P+CMioDlw6uK
 WQe14i5JMMDkQB25mirMD46PuQJTnbK6JBsyxG1xlQKBgGtcSY0AyVq00p0kkxNm
 KhzI+17T0j0CuczJ/X+NvCUjLsx3NTJatRkJNYHWG7jUqs1vvtZbHVspQeteMlEi
 rNE/xz98iG2eC8AdW+TmZvySmIZgoAoPuopUvBzRiyfLQVh4pPuikbTDghEn+CSG
 WSyOd/I4JsH4xQFJC89nnm5M
 -----END PRIVATE KEY-----
--- a/devstack/pregenerated/certs/client_ca.cert.pem
+++ b/devstack/pregenerated/certs/client_ca.cert.pem
--- a/devstack/pregenerated/certs/private/cakey.pem
+++ b/devstack/pregenerated/certs/private/cakey.pem
@@ -1,30 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,F5D5CAF138266C5C
 X7mebmQYgOOgOLi5ec7+kxrDzP5PqD4A2b4dph1qEoVEcwKEcVicrPdDtLeHReO4
 W5WpyJxqUIIHZZWmvCy08tX151/BJYzmDbF5gGf0c2Q7V0Mnfvkn4G01apIxXMXB
 kD4NIL3UB+4D2xmWv7s+PK+T4uNsO9gotUoABc5s4sNDsl7Jbgozo14T8oZkGVot
 GrS1PpTes4GiIwmmlBzrtO+0Y0Yv5tzJrdkz047nXur+1n4YNj87Ui6R3O/crFmI
 cf+L8NefqihmW2qR1deTSozg1oMv3RaZdMsxNDYLcF+4o+18buAHCr//NU71eVIZ
 /P4XrIQQAyLi8u5W/5dFH9FEnNtBz0AJlBpLpKb7O3ZdQ18/UATbdaRrb4cqocEH
 PTEEUTWRf1/5DhT+AXryI3Op0yxEZlVQu/IbEAgiV3wvx5Cof75Hm0m0rtFdnNBc
 L2IA+3+75HGRt/zljh7ByGcui0dQA7i6thDc+qxz4WpcUx10Y9Dn2V5DueWunez+
 kjwRsahervPoaRRL+MuP43B1w4HPDCPOuTDO35TXivSFHz/mFGJ5GOy+iMPddFMa
 RYWlDGkruz4poQ1zXQ2d4Q6wXSFiihU78a/0af8IhjofqAxUA91bC6oBF6OYGXZT
 9cKfK1TUPVQITH2VLcJLxRf+Q4Zgc7gYJqEnh8dJ0lpMAgSkgyQDE0p0ttakj0Xv
 ombZq+7SDSUYnItcPARLe2FWhsihZfu7W6f9fWQcXAv7dYG/opB5yquXaE+96eCO
 1eGc0VttBauW+r87fAJtfm3XgwfrrGwDglcmo5JmaBWRSkxdLn6xPP1pAfGj2jQQ
 EhWhIcbFgnGPhPSWpYMpeE8RdgO0R7Hno10scF5j/t3JPE5pfBOAGmyBsOdWW4TT
 UfICuZ6UznNYtaWcXSrUNXETMFjrDaHoXZ50bG1FMZKA1YCz6QnoE4w42nBTVLj9
 90K+h3mVLqD/5qA8UYZYUuKn+e7w3xY4dRLAXExfB/33kb3A3jjjHYqVTpFXV6Of
 0EAa/BDeGpkWElTmIgjN7VN+1rUDXgLMJ62M/fEkICTM1tSYLKFUdntGQ3YfzYX6
 LHB5BWsrlPFc2a8OXUCu5tvtm387W8X80eMb97e0A501q5P2Wxv/XcuPgVlx5JQP
 37nqFDEtqGJoOE1LC5xZVzisNk7QVh6r0N3tGVeyE/bE0nvOYr/Zw8SVmwqNr8/I
 jQspeH48uAudQ/lZ8aFUFpj7bm2Ie8ka2QqZAhPMDHy2Y8zf0obNB/RTG/SHSdMc
 j2jdL1cUPcPOG+c2yLsgap+lpFpHZgeiTFY9775F3ODrADOiS2k5XkQCTz/n/Z3z
 QOhz2T1RM8aa+xjk33YFJyVfYKQGEXfQwJ/RSJjMglDsJSE+py1ZPj4TzYnXfcjr
 f26ReNcqL1/0sTSMf14OIKYEBNN8L4zQHX8BWY8EhPc8qBxspJQzH8imbNYb0x/M
 +X0kZJbsEpO5JRD70KOoOM8vmStAglWTbbt9JLDjL98Ks54+Si9fgGql8njyo96V
 vwNihqd8kqEk9STXKwJZzmkXvcs8WDuFUuLDtQYjk6GMT17e10TgmA==
 -----END RSA PRIVATE KEY-----
--- a/devstack/pregenerated/certs/private/client.cert-and-key.pem
+++ b/devstack/pregenerated/certs/private/client.cert-and-key.pem
--- a/devstack/pregenerated/certs/private/server_ca.key.pem
+++ b/devstack/pregenerated/certs/private/server_ca.key.pem
@@ -0,0 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: AES-128-CBC,B6C2D5A9657E9635BE06551CAD6EF969
 N90cGt5rEntmiPvIAQwbO9W02blpDRZLJYMJeqttqxttnq6+InYQL3M4nJmR8XVz
 /bCjWhMQlh5kEKzBtjhu5xFXqYhF3q9UcA6/13VY4gicrSHwwpoVLP0X2IXFp6ub
 t4haSggaH6F2ZxF9DJCVG6+GyqOpuTPlGD4QiEf40NTo7x2H+JCEveLsIaSUljTV
 W/XZDk1RSo8hMpr+huqCQOZxfhEuM76gSK8wPW3nCzVoBMCk/1RpMcXq8A7FT9gd
 0V+2jwucDPOEVrTLmYjh/Aln6ATdte2l/b9XKPnAoVW6psYw83pu2hXtjgfCI+ey
 IbRvzJ9djPvx0qhEu/EQIcKLFfNt/+OExm7rce8+O6NcB1x+bFbvCLamPYQxtcjE
 xjqOWD0QT+VtIdqnG631jctN2mocmhVWfmp6le1RlkwfKSsbS1lb6Lcj/TasTlai
 5c6hfYB83drlJUw0374PuWn8Tb62HGaROK8JEG07CcgNT1l8KXHrCpLzwEQvRtP+
 Bze+mlbjScm21ny280huQz5hiNdDrH9q/YzVHcHEVICAnimEsZeaQCyEt0Um9h56
 gvTZ6Udh/SeetBsL77hQ3EwDYs2nNdacaOIu5tASrfdMXWdSiLiNR8zK7y7x4a0b
 GrgrerYJPWdb2axy4rrhzzlPRTHCJL1gA/E3CYC5mObk07tCMoQt7Ak3dofto9jG
 1CSRLGqbP31k7tXBOLCwNAYekQkDWRQV4u0vf2aWJdLjxLwiX7424E6p/cvaUi5B
 Sv+Iit3Zuee7Tq6DK0rv+5oWZmyfC/rzHcqmAMUhnjfBBlcI1N22BrBEBpfX6zq1
 DnIwiS9ayJMzaExSS+tBuqoHuoLMo2Fn++NpYxIUrwtQBvAD1Qxqx6QacTGFK025
 UpyV/ML+FdENujwU6KYYdciHX3E7nU4UYC/qwT7u9B/k3OiTS37GSlnz4ZkU34cF
 UiBcN2gXqYYxsonD37vUX40oTjrQYaQJbWcGgcyNw7Z5U4GV7t1ZFcxNBuE485pE
 jqZiDkeP5zmk+r9AB7djUpcowQ0TpPs1SthPsllv/LidusA8DwmeGp063fa1wScv
 gH6iJ40HRc7ffwN4ikk409L8awjpSA+HyXC+BsjIaG9uyaoy6XpjjQHrl/kZgeS2
 Nm3wvq00OFKYLi8UgmXlrRNMyNc/osTSAesdJeaiNHUM/+nrdTL1SaOvht/6i07B
 bG7Vqv3LtpWvd8fDhSPR/1eiBaYBzDJ+jx25oX5Wbv4/AbsG5/BEgfrBJnMddPyv
 Y8X6LY3IpUqRx1sf1L3ia3YxWp5r3bfcCQvVL0W6brEKxbw8BTHFrS3qaBOOfLrC
 XuiMKEUcSlexxYnYcJr1RnBYQ4HqcAOCbqQAhXqFv5nge+5gSskP8MS/FtGZ0+nm
 wi2ak3WmZbpr08mVnjHVhhxnuuVm7esYhNJLwXvSITXfUPPgpjvzYe0ABLdtWVuo
 s4NsU/1XG33I4r+gnrHQyFxsgaZ3rr5VpcbTHLzDzBgTRWk06AZB/nxyfAexE67U
 VHRL+4FP+ee5CxpWkT8i0/n2PJ/U/42+pglZmxEzIw76PqcT0aqmnpSwsEnnMH0w
 -----END RSA PRIVATE KEY-----
--- a/devstack/pregenerated/certs/server_ca-chain.cert.pem
+++ b/devstack/pregenerated/certs/server_ca-chain.cert.pem
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
 CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
 MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
 BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
 A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
 VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
 Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
 KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
 oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
 tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
 aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
 DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
 Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
 CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
 Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
 3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
 /aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
 VA==
 -----END CERTIFICATE-----
--- a/devstack/pregenerated/certs/server_ca.cert.pem
+++ b/devstack/pregenerated/certs/server_ca.cert.pem
@@ -0,0 +1,22 @@
 -----BEGIN CERTIFICATE-----
 MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
 BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
 CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
 MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
 BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
 A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
 CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
 VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
 Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
 KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
 oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
 tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
 aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
 DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
 Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
 CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
 Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
 3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
 /aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
 VA==
 -----END CERTIFICATE-----