======================================= Configure the Identity service with SSL ======================================= You can configure the Identity service to support two-way SSL. You must obtain the x509 certificates externally and configure them. The Identity service provides a set of sample certificates in the :file:`examples/pki/certs` and :file:`examples/pki/private` directories: cacert.pem Certificate Authority chain to validate against. ssl\_cert.pem Public certificate for Identity service server. middleware.pem Public and private certificate for Identity service middleware/client. cakey.pem Private key for the CA. ssl\_key.pem Private key for the Identity service server. .. note:: You can choose names for these certificates. You can also combine public/private keys in the same file, if you wish. These certificates are provided as an example. Client authentication with keystone-all ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When running ``keystone-all``, the server can be configured to enable SSL with client authentication using the following instructions. Modify the ``[eventlet_server_ssl]`` section in the :file:`/etc/keystone/keystone.conf` file. The following SSL configuration example uses the included sample certificates: .. code-block:: ini [eventlet_server_ssl] enable = True certfile = keyfile = ca_certs = cert_required = True **Options** - ``enable`` True enables SSL. Default is False. - ``certfile`` Path to the Identity service public certificate file. - ``keyfile`` Path to the Identity service private certificate file. If you include the private key in the certfile, you can omit the keyfile. - ``ca_certs`` Path to the CA trust chain. - ``cert_required`` Requires client certificate. Default is False. When running the Identity service as a WSGI service in a web server such as Apache httpd, this configuration is done in the web server instead. In this case the options in the ``[eventlet_server_ssl]`` section are ignored.