f87608d151
We want to start encrypting our gearman traffic for zuulv3, as such we'll need to bring online a CA service. The idea here, is we create a new CA for each interconnecting service we want SSL certs for. As an example /etc/zuul-ca will be used to generate SSL certs for our gearman service. Change-Id: I8c341559292c78d5428fe16837f28494a76e65db Signed-off-by: Paul Belanger <pabelanger@redhat.com> Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
81 lines
1.7 KiB
INI
81 lines
1.7 KiB
INI
# This file is managed by puppet.
|
|
# https://git.openstack.org/cgit/openstack-infra/system-config
|
|
|
|
[ca]
|
|
default_ca = CA_default
|
|
|
|
[CA_default]
|
|
dir = .
|
|
certs = $dir/certs
|
|
crl_dir = $dir/crl
|
|
database = $dir/index.txt
|
|
new_certs_dir = $dir/newcerts
|
|
certificate = $dir/cacert.pem
|
|
serial = $dir/serial
|
|
private_key = $dir/private/cakey.pem
|
|
RANDFILE = $dir/private/.rand
|
|
x509_extensions = usr_cert
|
|
name_opt = ca_default
|
|
cert_opt = ca_default
|
|
default_days = 3650
|
|
default_md = default
|
|
preserve = no
|
|
policy = ca_policy
|
|
|
|
[ca_policy]
|
|
countryName = supplied
|
|
stateOrProvinceName = supplied
|
|
localityName = supplied
|
|
organizationName = supplied
|
|
organizationalUnitName = supplied
|
|
commonName = supplied
|
|
emailAddress = supplied
|
|
|
|
[policy_anything]
|
|
countryName = supplied
|
|
stateOrProvinceName = supplied
|
|
localityName = supplied
|
|
organizationName = supplied
|
|
organizationalUnitName = supplied
|
|
commonName = supplied
|
|
emailAddress = supplied
|
|
|
|
[req]
|
|
default_bits = 2048
|
|
default_keyfile = privkey.pem
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_ca
|
|
string_mask = utf8only
|
|
prompt = no
|
|
|
|
[req_distinguished_name]
|
|
C = US
|
|
ST = Texas
|
|
L = Austin
|
|
O = OpenStack Foundation
|
|
OU = Infrastructure
|
|
CN = $ENV::CN
|
|
emailAddress = openstack-infra@lists.openstack.org
|
|
|
|
[usr_cert]
|
|
basicConstraints = CA:FALSE
|
|
nsComment = "client certificate"
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid,issuer
|
|
|
|
[server]
|
|
basicConstraints = CA:FALSE
|
|
nsCertType = server
|
|
nsComment = "server certificate"
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid,issuer
|
|
|
|
[v3_req]
|
|
basicConstraints = CA:FALSE
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
|
[v3_ca]
|
|
subjectKeyIdentifier = hash
|
|
authorityKeyIdentifier = keyid:always,issuer
|
|
basicConstraints = CA:true
|