For certificate management, it is also useful to have a cron script that will periodically download the metadata and copy the new Certificate Revocation List (CRL). This will keep revoked users from connecting and disconnects any users that are connected with revoked certificates when their connection is re-negotiated (every hour). You set the use_project_ca option in nova.conf for cloudpipes to work securely so that each project has its own Certificate Authority (CA).
If the use_project_ca config option is set (required to for
cloudpipes to work securely), then each project has its own CA. This CA is used
to sign the certificate for the vpn, and is also passed to the user for bundling
images. When a certificate is revoked using nova-manage, a new Certificate
Revocation List (crl) is generated. As long as cloudpipe has an updated crl, it
will block revoked users from connecting to the vpn.
The userdata for cloudpipe isn't currently updated when certs are revoked, so it is necessary to restart the cloudpipe instance if a user's credentials are revoked.
