You can configure the Identity Service to support two-way SSL.
You must obtain the x509 certificates externally and configure them.
The Identity Service provides a set of sample certificates
in the examples/pki/certs
and examples/pki/private
directories:
Certificate types
- cacert.pem
Certificate Authority chain to validate against.
- ssl_cert.pem
Public certificate for Identity Service server.
- middleware.pem
Public and private certificate for Identity Service middleware/client.
- cakey.pem
Private key for the CA.
- ssl_key.pem
Private key for the Identity Service server.
Note | |
---|---|
You can choose names for these certificates. You can also combine the public/private keys in the same file, if you wish. These certificates are provided as an example. |
To enable SSL with client authentication, modify the
[ssl]
section in the
etc/keystone.conf
file. The
following SSL configuration example uses the included
sample certificates:
[ssl] enable = True certfile = <path to keystone.pem> keyfile = <path to keystonekey.pem> ca_certs = <path to ca.pem> cert_required = True
Options
enable
. True enables SSL. Default is False.certfile
. Path to the Identity Service public certificate file.keyfile
. Path to the Identity Service private certificate file. If you include the private key in the certfile, you can omit the keyfile.ca_certs
. Path to the CA trust chain.cert_required
. Requires client certificate. Default is False.