Country Name (2 letter code) [DE]:
State or Province Name (full name) [Internet]:
Locality Name (eg, city) [Internet]:
-Organization Name (eg, company) [SteJau]: XX
+Organization Name (eg, company) [Internet]: XX
Organizational Unit Name (eg, section) [K8s OU]:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root-ca.example.org
Email Address [XX]:
+# it wants to have all relevant types in the pki x509-types dir, so we oblige
+$ for i in x509-types/*; do ln -sr $i pki/x509-types/; done
+
$ vim pki/x509-types/k8s_ca
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster
DNS.0=cluster-ca.example.org
# helm-release-name.namespace.svc.cluster-local
-DNS.1=step-certificates-autocert.step-autocert.svc.cluster.local
+DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local
[nameconsts]
# apparently ordered numbers are not needed :P
permitted;DNS.0=.kubecluster.example.org
permitted;DNS.2=kubecluster.example.org
# repeat the DNS.1 SAN here in the nameconstraint
-permitted;DNS.3=step-certificates-autocert.step-autocert.svc.cluster.local
+permitted;DNS.3=step-certificates-autocert.step-ca-autocert.svc.cluster.local
# allow it to build certs for all nodenames in the cluster
permitted;DNS.4=kubemaster.example.org
permitted;DNS.5=kubenode01.example.org
permitted;DNS.2=svc
permitted;DNS.3=.svc
permitted;DNS.4=step-certificates-autocert.step-ca-autocert.svc.cluster.local
+:wq
+
+$ ./easyrsa gen-req autocert-ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [DE]:
+State or Province Name (full name) [Internet]:Internet
+Locality Name (eg, city) [Internet]:NA
+Organization Name (eg, company) [Internet]: Internet
+Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org
+Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org
+Email Address [email@mail.de]:
+* Notice:
+
+Keypair and certificate request completed. Your files are:
+req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req
+key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key
+
+$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+
+You are about to sign the following certificate.
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+
+Request subject, to be signed as a k8s_ca certificate for 825 days:
+
+subject=
+ countryName = DE
+ stateOrProvinceName = Internet
+ localityName = NA
+ organizationName = Internet
+ organizationalUnitName = autocert-ca.kubecluster.example.org
+ commonName = autocert-ca.kubecluster.example.org
+ emailAddress = email@mail.de
+
+
+Type the word 'yes' to continue, or any other input to abort.
+ Confirm request details: yes
+
+Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe
+Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName :PRINTABLE:'DE'
+stateOrProvinceName :ASN.1 12:'Internet'
+localityName :ASN.1 12:'NA'
+organizationName :ASN.1 12:'Internet'
+organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org'
+commonName :ASN.1 12:'autocert-ca.kubecluster.example.org'
+emailAddress :IA5STRING:'email@mail.de'
+Certificate is to be certified until Jul 3 20:35:45 2025 GMT (825 days)
+
+Write out database with 1 new entries
+Data Base Updated
+
+* Notice:
+Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org
+
+$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb
+ Signature Algorithm: ED25519
+ Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de"
+ Validity
+ Not Before: Mar 31 20:35:45 2023 GMT
+ Not After : Jul 3 20:35:45 2025 GMT
+ Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de"
+ Subject Public Key Info:
+ Public Key Algorithm: ED25519
+ ED25519 Public-Key:
+ pub:
+ b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9:
+ 2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65:
+ 2f:27
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8
+ DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de
+ serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97
+ X509v3 Name Constraints: critical
+ Permitted:
+ DNS:.svc.cluster.local
+ DNS:svc.cluster.local
+ DNS:svc
+ DNS:.svc
+ DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+ X509v3 Subject Alternative Name: critical
+ DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+ Signature Algorithm: ED25519
+ Signature Value:
+ a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5:
+ 7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91:
+ 5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0:
+ 02:5f:44:2f:9a:00:c7:38:57:05
+
+
```
its not the end yet :)
projects / stejau-blog.git / commitdiff