Public Key Document Signing for Oslo Messaging

The PKI version of the Keystone tokens use a standard format for cryptographic signing of documents. Crypto Message Syntax (CMS) is the mechanism behind S/MIME and is well supported by the major cryptographic libraries: OpenSSL and NSS both have well documented CMS support. Messaging in OpenStack requires guaranteed identification of the author.

Continue reading


There is more to the certmonger story. A lot more. After my last attempt I tried to use certmonger:

  • as a user-launched process
  • to get a user certificate
  • direct from the dogtag instance behind FreeIPA

I was not 100% successful, but the attempt did have some positive results.

Continue reading

Using Certmonger to Generate a selfsign Cert for CMS

We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.
Continue reading