You can configure the Identity Service to support 2-way SSL. You must obtain the x509 certificates externally and configure them. The Identity Service provides a set of sample certificates in the examples/pki/certs and examples/pki/private directories: cacert.pem Certificate Authority chain to validate against. ssl_cert.pem Public certificate for Identity Service server. middleware.pem Public and private certificate for Identity Service middleware/client. cakey.pem Private key for the CA. ssl_key.pem Private key for the Identity Service server. You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example.

To enable SSL with client authentication, modify the [ssl] section in the etc/keystone.conf file. The following SSL configuration example uses the included sample certificates: [ssl] enable = True certfile = <path to keystone.pem> keyfile = <path to keystonekey.pem> ca_certs = <path to ca.pem> cert_required = True enable. True enables SSL. Default is False. certfile. Path to the Identity Service public certificate file. keyfile. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile. ca_certs. Path to the CA trust chain. cert_required. Requires client certificate. Default is False.