We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.

Request a certificate:

sudo selfsign-getcert request -f /etc/pki/testcert -k /etc/pki/testkey

copy certs to /tmp and sign

 cat /opt/stack/python-keystoneclient/examples/pki/cms/auth_token_unscoped.json |  openssl cms -sign -signer /tmp/testcert -inkey /tmp/testkey -outform PEM -nosmimecap -nodetach -nocerts -noattr  -out /tmp/auth_token_unscoped.pem

and verify with

openssl cms -verify -certfile /tmp/testcert -CAfile /tmp/testcert -inform PEM -in auth_token_unscoped.pem

Need to clean up SELinux:

A workging one is shown here:

matchpathcon /etc/pki/tls/private/
/etc/pki/tls/private	system_u:object_r:cert_t:s0

Need to make this look the same-ish

 matchpathcon /etc/keystone/ssl/certs/

what can certmonger do on files? Check with

sudo sesearch --allow -s certmonger_t -c file -t cert_t

Returns

Found 3 semantic av rules:
   allow certmonger_t cert_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow nsswitch_domain cert_t : file { ioctl read getattr lock open } ; 
   allow nsswitch_domain cert_t : file { ioctl read getattr lock open } ; 

So we need to add a rule in standard policy to label /etc/keystone/ssl (and all subdirs) as cert_t

Thanks to Nalin Dahyabhai for helping me work this out.