....
This is just a wip command by command play by play for now, i will add context and infos later(TM).
random comments:
- root$ denotes stuff done as root
- $ denotes stuff done as normal user
- you totally can use a different easy-rsa instance to generate your sub-ca, it does not need to be done in the root-ca "pki" - i will try to mark the points where you need to divert at a later time, essentially you need two easy-rsa instances(go figure, one with a ca build and one without - and then move the CSR/Finished cert between them)
root$ apt install easy-rsa
$ make-cadir talos1-step-ca-autocert
$ cd talos1-step-ca-autocert
$ find
.
./vars
./x509-types
./easyrsa
./openssl-easyrsa.cnf
$ ./easyrsa init-pki
* Notice:
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /home/kind01/talos1-step-ca-autocert/pki
* Notice:
IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above.
$ vim pki/vars
set_var EASYRSA_DN "org"
set_var EASYRSA_REQ_COUNTRY "DE"
set_var EASYRSA_REQ_PROVINCE "Internet"
set_var EASYRSA_REQ_CITY "Internet"
set_var EASYRSA_REQ_ORG "XX"
set_var EASYRSA_REQ_EMAIL "XX"
set_var EASYRSA_REQ_OU "K8s OU"
set_var EASYRSA_ALGO ed
set_var EASYRSA_CURVE ed25519
$ mkdir pki/x509-types
$ find x509-types
$ ./easyrsa build-ca
* Notice:
Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
* Notice:
Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Using configuration from /home/kind01/talos1-step-ca-autocert/pki/ef8549d7/temp.229d8fce
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Internet]:
Locality Name (eg, city) [Internet]:
Organization Name (eg, company) [Internet]: XX
Organizational Unit Name (eg, section) [K8s OU]:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root-ca.example.org
Email Address [XX]:
# it wants to have all relevant types in the pki x509-types dir, so we oblige
$ for i in x509-types/*; do ln -sr $i pki/x509-types/; done
$ vim pki/x509-types/k8s_ca
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
# this magic bit creates a subca which is not allowed to sign other CAs - nice fun :)
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
nameConstraints = critical,@nameconsts
subjectAltName = critical,@sans
[sans]
# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster
DNS.0=cluster-ca.example.org
# helm-release-name.namespace.svc.cluster-local
DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local
[nameconsts]
# apparently ordered numbers are not needed :P
permitted;DNS.0=.kubecluster.example.org
permitted;DNS.2=kubecluster.example.org
# repeat the DNS.1 SAN here in the nameconstraint
permitted;DNS.3=step-certificates-autocert.step-ca-autocert.svc.cluster.local
# allow it to build certs for all nodenames in the cluster
permitted;DNS.4=kubemaster.example.org
permitted;DNS.5=kubenode01.example.org
permitted;DNS.6=kubenode02.example.org
:wq
# we need to make sure to include the CN(or a DNS constraint allowing certs for the CN) in the nameconstraints
# as this is a specialized usecase we will use the following instead
# this ca is just a testcase for providing local certs which we will then turn into ssh host certs along the way.
# my normal ca is too restricted and not really the perfect usecase for this, so we will use a specialised setup
# like here(i promise i will write a blogpost about the big picture soon(TM)):
$ vim pki/x509-types/k8s_ca
# X509 extensions for a ca
# Note that basicConstraints will be overridden by Easy-RSA when defining a
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:1
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
nameConstraints = critical,@nameconsts
subjectAltName = critical,@sans
[sans]
DNS.0=autocert-ca.kubecluster.example.org
DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local
[nameconsts]
permitted;DNS.0=.svc.cluster.local
permitted;DNS.1=svc.cluster.local
permitted;DNS.2=svc
permitted;DNS.3=.svc
permitted;DNS.4=step-certificates-autocert.step-ca-autocert.svc.cluster.local
:wq
$ ./easyrsa gen-req autocert-ca.kubecluster.example.org
* Notice:
Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
* Notice:
Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Internet]:Internet
Locality Name (eg, city) [Internet]:NA
Organization Name (eg, company) [Internet]: Internet
Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org
Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org
Email Address [email@mail.de]:
* Notice:
Keypair and certificate request completed. Your files are:
req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req
key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key
$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org
* Notice:
Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
* Notice:
Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a k8s_ca certificate for 825 days:
subject=
countryName = DE
stateOrProvinceName = Internet
localityName = NA
organizationName = Internet
organizationalUnitName = autocert-ca.kubecluster.example.org
commonName = autocert-ca.kubecluster.example.org
emailAddress = email@mail.de
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe
Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :ASN.1 12:'Internet'
localityName :ASN.1 12:'NA'
organizationName :ASN.1 12:'Internet'
organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org'
commonName :ASN.1 12:'autocert-ca.kubecluster.example.org'
emailAddress :IA5STRING:'email@mail.de'
Certificate is to be certified until Jul 3 20:35:45 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
* Notice:
Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org
$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb
Signature Algorithm: ED25519
Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de"
Validity
Not Before: Mar 31 20:35:45 2023 GMT
Not After : Jul 3 20:35:45 2025 GMT
Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de"
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9:
2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65:
2f:27
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8
DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de
serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97
X509v3 Name Constraints: critical
Permitted:
DNS:.svc.cluster.local
DNS:svc.cluster.local
DNS:svc
DNS:.svc
DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
X509v3 Subject Alternative Name: critical
DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
Signature Algorithm: ED25519
Signature Value:
a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5:
7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91:
5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0:
02:5f:44:2f:9a:00:c7:38:57:05
its not the end yet 
Add a comment