One way to request a signing certificate from an external CA is to first generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.
First create a certificate request configuration file
(e.g. cert_req.conf):
[ req ] default_bits = 1024 default_keyfile = keystonekey.pem default_md = sha1 prompt = no distinguished_name = distinguished_name [ distinguished_name ] countryName = US stateOrProvinceName = CA localityName = Sunnyvale organizationName = OpenStack organizationalUnitName = Keystone commonName = Keystone Signing emailAddress = [email protected]
Then generate a CRS with OpenSSL CLI. Do not encrypt the generated private key. Must use the -nodes option.
For example:
openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
If everything is successfully, you should end up with
signing_cert_req.pem and
signing_key.pem. Send
signing_cert_req.pem to your CA to
request a token signing certificate and make sure to ask
the certificate to be in PEM format. Also, make sure your
trusted CA certificate chain is also in PEM format.
