Remove nova-cert

nova-cert has been deprecated for some time and now can be removed completely.

Problem description

Because of the legacy requirements of building euca bundles which require certificates, Nova has a very old and unmaintained “certificates” API. This allows a user to use openssl on their Nova cluster to generate certificates randomly instead of doing so locally. Private keys are returned during the POST call, and the root certificate can be fetched later.

Behind the scenes this work is done by having a nova-cert worker. While it is intended to be used as a fleet for entropy reasons, in looking through the code, use as a fleet probably causes corrupt data because every worker would generated it’s own local root CA (making the API not work as intended).

This API is not used for anything in current Nova code. It makes Nova a certificate authority for random 3rd party use (which it really should not be). There is no managing of entropy, so aggressive use of this API can have negative impacts on the entropy of your cloud depending on where your workers are.

Nova-cert is an instance of Nova doing a non essential thing badly. Doing security related operations badly is worse than not doing them at all.

Use Cases


Proposed change

nova-cert has been deprecated since July 2016 with the commit [1] that added release note and logged a warning stating nova-cert is deprecated. If the deprecation cycle allows, dropping nova-cert should be straightforward.


Alternative approach is to not change anything, letting nova-cert be.

Data model impact


REST API impact

Return 410 Gone upon calling:

  • POST /os-certificates

  • GET /os-certificates/root

  • POST /os-cloudpipe

  • GET /os-cloudpipe

  • PUT /os-cloudpipe/configure-project

for all versions of os-certificates and os-cloudpipe. There won’t be a new microversion to signal this.

Additionally, exception stating that feature is not available anymore should be raised and logged.

Security impact

This change will affect the possibility to generate certificates in a safe manner. Virtual machines tend to not have a lot of entropy thus limiting the level of random numbers available from pseudorandom number generator to the Linux kernel. There are additional packages that users would have to install inside virtual machines to increase entropy when generating certificates inside them.

Notifications impact


Other end user impact


Performance Impact


Other deployer impact

We remove the need to run and manage nova-cert process, which gives us one less service that need to be monitored and have HA explored.

Developer impact

  • ec2-api will become broken [2] after we remove nova-cert service.

  • os-cloudpipe is already deprecated in the doc. We should delete it in the code as well, as there is no point in having it around with both nova-cert and nova-network deprecated and marked for removal.



Primary assignee:

Maciej Szankin (macsz)

Other contributors:


Work Items

  • change API return codes

  • remove nova-cert starter script

  • remove tests

  • delete nova-cert service




Tempest [3] will require updating to adjust to this change.

Documentation Impact

Update admin guide to reflect these changes.


[1] [2] [3]



Release Name