You may use a signing certificate issued by an external CA instead of generated by keystone-manage. However, certificate issued by external CA must satisfy the following conditions:
all certificate and key files must be in Privacy Enhanced Mail (PEM) format
private key files must not be protected by a password
When using signing certificate issued by an external
CA, you do not need to specify
key_size,
valid_days, and
ca_password as they will be
ignored.
The basic workflow for using a signing certificate issued by an external CA involves:
Request Signing Certificate from External CA
Convert certificate and private key to PEM if needed
Install External Signing Certificate
