Generating Self Signed Certificates

WARNING: Do not try to generate these certs on foreman node. We faced the issue where the certificates generated using the same command on foreman node were not working fine on the controller/compute nodes even after adding them to the root certificate authority We generated the certificates on one of the host having RHEL 7.1 installed.

Create a certauth.cfg file containing default values for generating rootCA certificate

    distinguished_name = req_distinguished_name
    prompt = no
    C = US
    ST = MA
    L = Boston
    O = Custom Cert Authority
    OU = Signing
    CN =


Create controller.cfg file with default values for host certificate. This file will also contain the alternate DNS names.

	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	prompt = no

	C = US
	ST = MA
	L = Boston
	O = Mass Open Cloud
	OU = Engineering
	CN =

	keyUsage = keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names

	DNS.1 =
	DNS.2 =
	DNS.3 =
	DNS.4 =
	DNS.5 =
	DNS.6 =
	DNS.7 =
	DNS.8 =
	DNS.9 =
	DNS.10 =
	DNS.11 =
	DNS.12 =

Generating root CA key and Cert

    # openssl genrsa -out rootCA.key 2048
    # openssl req -x509 -new -nodes -sha256 -key rootCA.key -days 3650 \
    -out rootCA.crt -config certauth.cfg

Generating host key

    # openssl genrsa -out host.key 2048

Generating CSR request for host

    # openssl req -new -sha256 -key host.key -out host.csr \
    -config controller.cfg

Signing the CSR request using rootCA

    # openssl x509 -req -sha256 -in host.csr -CA rootCA.crt \
    -CAkey rootCA.key -CAcreateserial -out host.crt \
    -days 3650 -extensions v3_req -extfile controller.cfg

From where does python requests module pick up the trusted root certs?

This can be found using the command “python -mrequests.certs”. We need to add our rootCA.crt certificate at the end of this file so that requests module can trust the certificates signed using this rootCA cert.

Right now, we generate only one host.crt certificate. We make different copies of the same certificate with different names (glance.crt, nova.crt, horizon.crt …). If required, we can generate different certificates for each individual service.

How to install the root certs and add all the ssl certificates:-

The steps to do this have been puppetized. One can have a look at the puppet scripts

In general, the steps include

  • Adding rootCA.crt to file /etc/pki/tls/certs/ca-bundle.crt
  • Copying host.crt as horizon.crt, glance.crt, nova.crt … to location /etc/pki/tls/certs.
  • Copying host.key as horizon.key, glance.key, nova.key … to location /etc/pki/tls/private.

Next, specify the respective key and cert in the config files of different services.

Setting up local DNS

  • Modify the /etc/hosts file and add the host-ip with DNS names.

How to test if its working fine?

Perform these steps on bash shell.

    # python
    >>> import requests
    >>> requests.get("")
    <Response [300]>

If you get any SSL error related to verify failed, it means that rootCA is not added to trusted root authorities and you need to debug and fix it.

Steps needed to be done when creating a new environment under puppet

  • Generate the rootCA.crt, host.crt and host.key files.
  • Place them in /etc/puppet/environments/**env_name**/modules/moc_openstack/files/certs/ directory.