Move CA key from certs directory to private directory

Unlike certs which are public keys are private. The CA key file was
improperly located in the certs directory with the public certs. It's
vital to protect the CA key, it's one of the most security sensitive
files in the system. We already had a private directory for keys,
/etc/keystone/ssl/private where the signing key is located. This fix
moves the CA key into /etc/keystone/ssl/private from
/etc/keystone/ssl/certs.

We also update all relevant files to note the change. During so it was
observered etc/keystone.conf.sample used the wrong parent directory
/etc/keystone/pki, the directory /etc/keystone/ssl is the directory in
actual use.

Fixes: bug #1206254

Change-Id: I014e9f79093a6aa59cd5b3bb6cefa4c6dced67a6

doc/source/configuration.rst

@@ -219,7 +219,7 @@ The values that specify where to read the certificates are under the
 * ``certfile`` - Location of certificate used to verify tokens.  Default is ``/etc/keystone/ssl/certs/signing_cert.pem``
 * ``keyfile`` - Location of private key used to sign tokens.  Default is ``/etc/keystone/ssl/private/signing_key.pem``
 * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem``
-* ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
+* ``ca_key`` - Default is ``/etc/keystone/ssl/private/cakey.pem``
 * ``key_size`` - Default is ``2048``
 * ``valid_days`` - Default is ``3650``
 * ``ca_password``  - Password required to read the ca_file. Default is None

etc/keystone.conf.sample

@@ -175,10 +175,10 @@
 
 [ssl]
 #enable = True
-#certfile = /etc/keystone/pki/certs/ssl_cert.pem
-#keyfile = /etc/keystone/pki/private/ssl_key.pem
-#ca_certs = /etc/keystone/pki/certs/cacert.pem
-#ca_key = /etc/keystone/pki/private/cakey.pem
+#certfile = /etc/keystone/ssl/certs/keystone.pem
+#keyfile = /etc/keystone/ssl/private/keystonekey.pem
+#ca_certs = /etc/keystone/ssl/certs/ca.pem
+#ca_key = /etc/keystone/ssl/private/cakey.pem
 #key_size = 1024
 #valid_days = 3650
 #ca_password = None
@@ -190,10 +190,10 @@
 # Allowed values are PKI or UUID
 #token_format =
 
-#certfile = /etc/keystone/pki/certs/signing_cert.pem
-#keyfile = /etc/keystone/pki/private/signing_key.pem
-#ca_certs = /etc/keystone/pki/certs/cacert.pem
-#ca_key = /etc/keystone/pki/private/cakey.pem
+#certfile = /etc/keystone/ssl/certs/signing_cert.pem
+#keyfile = /etc/keystone/ssl/private/signing_key.pem
+#ca_certs = /etc/keystone/ssl/certs/ca.pem
+#ca_key = /etc/keystone/ssl/private/cakey.pem
 #key_size = 2048
 #valid_days = 3650
 #ca_password = None

keystone/common/config.py

@@ -80,7 +80,7 @@
         cfg.StrOpt('ca_certs',
                    default="/etc/keystone/ssl/certs/ca.pem"),
         cfg.StrOpt('ca_key',
-                   default="/etc/keystone/ssl/certs/cakey.pem"),
+                   default="/etc/keystone/ssl/private/cakey.pem"),
         cfg.BoolOpt('cert_required', default=False),
         cfg.IntOpt('key_size', default=1024),
         cfg.IntOpt('valid_days', default=3650),
@@ -96,7 +96,7 @@
         cfg.StrOpt('ca_certs',
                    default="/etc/keystone/ssl/certs/ca.pem"),
         cfg.StrOpt('ca_key',
-                   default="/etc/keystone/ssl/certs/cakey.pem"),
+                   default="/etc/keystone/ssl/private/cakey.pem"),
         cfg.IntOpt('key_size', default=2048),
         cfg.IntOpt('valid_days', default=3650),
         cfg.StrOpt('ca_password', default=None),