Configure the Identity Service with SSL
You can configure the Identity Service to support two-way
SSL.
You must obtain the x509 certificates externally and
configure them.
The Identity Service provides a set of sample certificates
in the examples/pki/certs and examples/pki/private
directories:
Certificate types
cacert.pem
Certificate Authority chain to validate
against.
ssl_cert.pem
Public certificate for Identity Service
server.
middleware.pem
Public and private certificate for Identity
Service middleware/client.
cakey.pem
Private key for the CA.
ssl_key.pem
Private key for the Identity Service
server.
You can choose names for these certificates. You can
also combine the public/private keys in the same file, if
you wish. These certificates are provided as an
example.
SSL configuration
To enable SSL with client authentication, modify the
[ssl] section in the
etc/keystone.conf file. The
following SSL configuration example uses the included
sample certificates:
[ssl]
enable = True
certfile = <path to keystone.pem>
keyfile = <path to keystonekey.pem>
ca_certs = <path to ca.pem>
cert_required = True
Options
enable. True enables SSL.
Default is False.
certfile. Path to the
Identity Service public certificate file.
keyfile. Path to the Identity
Service private certificate file. If you include
the private key in the certfile, you can omit the
keyfile.
ca_certs. Path to the CA
trust chain.
cert_required. Requires
client certificate. Default is False.