asked 2017-06-14 15:38:15 +0200

I try to follow instruction on "Windows authentication without passwords in OpenStack" but it seems like it is missing instruction for Import Key Pair via OpenStack Horizon.

After I run script I have got 2 files


I need to export Public key from winrm_client_cert.pem by this OpenSSL command

openssl x509 -pubkey -noout -in winrm_client_cert.pem -out pubkey.pem

Then I try to import this public key to my project:

-----END PUBLIC KEY-----

but I encountered with “Unable to import key pair” when trying to import the Key Pair via the  OpenStack Horizon same as this link

Please can you let me know what did I missing?

answered 2017-06-14 17:20:20 +0200

Claudiu Belu


The article you mentioned is passing the x509 certificate to the instance through instance user_data, not as a keypair:

nova boot --flavor 2 --image your_windows_image --key-name key1 vm1 --user_data=your_cert.pem

That being said, since then, support for x509 has been added to nova-api (but not horizon). See the help for the nova keypair-add command:

usage: nova keypair-add [--pub-key <pub-key>] [--key-type <key-type>]
                        [--user <user-id>]

Create a new key pair for use with servers.

Positional arguments:
  <name>                 Name of key.

Optional arguments:
  --pub-key <pub-key>    Path to a public ssh key.
  --key-type <key-type>  Keypair type. Can be ssh or x509. (Supported by API
                         versions '2.2' - '2.latest')
  --user <user-id>       ID of user to whom to add key-pair (Admin only).
                         (Supported by API versions '2.10' - '2.latest')

This has been introduced in nova-api v2.1 (microversion 2.2), so make sure you have that registered as an endpoint:

openstack endpoint list
# you should see something like this:
# | 34291deac24a4a9195c340b70f03830f | RegionOne | nova         | compute        | True    | admin     |              |

If not, you'll have to register a new endpoint for the /v2.1 URL, and then run a command like this:

nova --service-type endpoint_name keypair-add ...

By default, the microversion 2.latest is used, but if not, you will probably want to be explicit:

nova --service-type endpoint_name --os-compute-api-version 2.2 keypair-add ...

Best regards,

Claudiu Belu

answered 2017-06-14 20:39:43 +0200

What about the existing Keypair I created via OpenStack Horizon and downloaded .pem with Private kay, Is there any solution to export Private Key from .pem and import into my local Windows computer certificates?

Hello, after all I know, there is no such transformation possible between the keys, and if it exists, it is not implemented in OpenStack or cloudbase-init. I suggest to you using either userdata scripts, either the x509 key type feature in Nova. Thank you, Adrian Vladu.

avladu

answered 2017-06-14 23:24:55 +0200

avladu


You can install OpenSSH server on the Windows image from or from Then, you can use any ssh client to connect with your private key associated to the ssh public key from Nova to your Windows machine and issue batch/PowerShell commands.

Thank you,
Adrian Vladu

