There are two ways of configuring the CA trust for the OpenLDAP libraries that are used by Keystone: Method 1: --------- 1 - Copy the file containing your CA certificate chain (in PEM format) to /etc/openldap/certs. 2 - Edit /etc/openldap/ldap.conf and add the following directive: TLS_CACERT /etc/openldap/certs/<ca file> Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain. Method 2: --------- 1 - Use certutil to import and trust your CA certificate chain into the NSS certificate database that is used by the OpenLDAP client libraries: certutil -d /etc/openldap/certs -A -n "My CA" -t CT,, -a -i <ca file> Be sure to replace <ca file> with the filename that was chosen for your CA certificate chain. You can use a more appropriate certificate nickname for the '-n' option. This nickname is used to identity the certificate in the NSS database. 2 - Confirm that the CA certificate was imported correctly: certutil -d /etc/openldap/certs -L Your CA certificate should be listed, and the trust attributes should be set to "CT,,".
One more note to add to comment#2 is that the Keystone service needs to be restarted for the changes to take effect.
Moving to ssainkar, who is now the author assigned to the Keystone component, for further processing and publication.
Please also document how to create the cacert.pem file. It's got a header and a footer, and the contents of the ldap query that obtained the certificate: -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIQQD14hh1Yz7tPFLXCkKUOszANB.... -----END CERTIFICATE----- I'd also document the step that checks if ldaps is working, so that users can better troubleshoot their problem if something is not working and they're not sure if the cert file was created correctly or not. Run this query: LDAPTLS_CACERT=/path/to/cacert.pem ldapsearch -xLLL -ZZ -H $LDAPURL -D "$ADMIN_DN" -w "$ADMINPASSWORD" -s base -b "" "objectclass=*" currenttime It should return something like: dn: currentTime: 20141022050611.0Z