nova-cert has been deprecated for some time and now can be removed
Because of the legacy requirements of building euca bundles which require certificates, Nova has a very old and unmaintained “certificates” API. This allows a user to use openssl on their Nova cluster to generate certificates randomly instead of doing so locally. Private keys are returned during the POST call, and the root certificate can be fetched later.
Behind the scenes this work is done by having a nova-cert worker. While it is intended to be used as a fleet for entropy reasons, in looking through the code, use as a fleet probably causes corrupt data because every worker would generated it’s own local root CA (making the API not work as intended).
This API is not used for anything in current Nova code. It makes Nova a certificate authority for random 3rd party use (which it really should not be). There is no managing of entropy, so aggressive use of this API can have negative impacts on the entropy of your cloud depending on where your workers are.
Nova-cert is an instance of Nova doing a non essential thing badly. Doing security related operations badly is worse than not doing them at all.
nova-cert has been deprecated since July 2016 with the commit  that
added release note and logged a warning stating
nova-cert is deprecated.
If the deprecation cycle allows, dropping
nova-cert should be
Alternative approach is to not change anything, letting
Data model impact¶
REST API impact¶
Return 410 Gone upon calling:
for all versions of
os-cloudpipe. There won’t be
a new microversion to signal this.
Additionally, exception stating that feature is not available anymore should be raised and logged.
This change will affect the possibility to generate certificates in a safe manner. Virtual machines tend to not have a lot of entropy thus limiting the level of random numbers available from pseudorandom number generator to the Linux kernel. There are additional packages that users would have to install inside virtual machines to increase entropy when generating certificates inside them.
Other end user impact¶
Other deployer impact¶
We remove the need to run and manage
nova-cert process, which gives us
one less service that need to be monitored and have HA explored.
ec2-apiwill become broken  after we remove
os-cloudpipeis already deprecated in the doc. We should delete it in the code as well, as there is no point in having it around with both
nova-networkdeprecated and marked for removal.
- Primary assignee:
Maciej Szankin (macsz)
- Other contributors:
change API return codes
Tempest  will require updating to adjust to this change.
Update admin guide to reflect these changes.
 https://github.com/openstack/nova/commit/789edad0e811d866551bec18dc7729541105f59d  https://github.com/openstack/ec2-api/blob/480dc02de0d8413aa518a23b22a0140013df1350/ec2api/clients.py#L140  https://github.com/openstack/tempest/blob/8c8943aa45d0a6428fdd4e32aa4e3bd71f39d050/tempest/api/compute/certificates/test_certificates.py