You can configure the Identity Service to support two-way SSL.
You must obtain the x509 certificates externally and configure them.
The Identity Service provides a set of sample certificates
in the examples/pki/certs and examples/pki/private
directories:
Certificate types
- cacert.pem
Certificate Authority chain to validate against.
- ssl_cert.pem
Public certificate for Identity Service server.
- middleware.pem
Public and private certificate for Identity Service middleware/client.
- cakey.pem
Private key for the CA.
- ssl_key.pem
Private key for the Identity Service server.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example. |
To enable SSL with client authentication, modify the
[ssl] section in the
etc/keystone.conf file. The
following SSL configuration example uses the included
sample certificates:
[ssl] enable = True certfile = <path to keystone.pem> keyfile = <path to keystonekey.pem> ca_certs = <path to ca.pem> cert_required = True
Options
enable. True enables SSL. Default is False.certfile. Path to the Identity Service public certificate file.keyfile. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile.ca_certs. Path to the CA trust chain.cert_required. Requires client certificate. Default is False.
