Allow a user to bring their own Certificate Authority to dev-install,
so when OpenStack will be deployed, the generated certificate will be
signed with this CA.
It's a famous customer use-case, and will also be used by our CI, so we
can rely on a stable CA and just generate ephemeral certificates when
deploying OpenStack.
Generate SSL files locally instead of remotely
Instead of generating all SSL files remotely, do it locally, it's more
secure.
The main reason of doing this is because we do not want the CA private
key to be on the remote host, this would be a security issue in case
someone has access to the host, they can compromise our CA
Bring your own CA
Allow a user to bring their own Certificate Authority to dev-install, so when OpenStack will be deployed, the generated certificate will be signed with this CA.
It's a famous customer use-case, and will also be used by our CI, so we can rely on a stable CA and just generate ephemeral certificates when deploying OpenStack.
Generate SSL files locally instead of remotely
Instead of generating all SSL files remotely, do it locally, it's more secure.
The main reason of doing this is because we do not want the CA private key to be on the remote host, this would be a security issue in case someone has access to the host, they can compromise our CA