--- /dev/null
+....
+
+This is just a wip command by command play by play for now, i will add context and infos later(TM).
+
+random comments:
+
+- root$ denotes stuff done as root
+- $ denotes stuff done as normal user
+- you totally can use a different easy-rsa instance to generate your sub-ca, it does not need to be done in the root-ca "pki" - i will try to mark the points where you need to divert at a later time, essentially you need two easy-rsa instances(go figure, one with a ca build and one without - and then move the CSR/Finished cert between them)
+
+Relevant Domains:
+
+- kubecluster.example.org - subdomain your cluster should have
+- step-certificates.step-ca.svc.cluster.local - service and namespace under which your intermediate is reachable in the cluster
+- kubemaster.example.org - node fqdn
+- kubenode01.example.org - node fqdn
+- kubenode02.example.org - node fqdn
+- (add/remove more node fqdns)
+
+Derived domains:
+- ca.kubecluster.example.org - fqdn for your ca
+- .kubecluster.example.org - subdomain for your cluster including "children"
+
+
+You need a root ca managed by easy-rsa.
+Our first step is to create a template for our intermediate.
+
+
+
+```
+$ cd $CA_PATH
+$ cat > x509-types/ca.kubecluster.example.org <<EOF
+
+
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:0
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign
+
+# this magic bit creates a subca which is not allowed to sign other CAs - nice fun :)
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+nameConstraints = critical,@nameconsts
+subjectAltName = critical,@sans
+
+[sans]
+# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster
+DNS.0=ca.kubecluster.example.org
+# helm-release-name.namespace.svc.cluster-local
+DNS.1=step-certificates.step-ca.svc.cluster.local
+
+[nameconsts]
+# apparently ordered numbers are not needed :P
+permitted;DNS.0=.kubecluster.example.org
+permitted;DNS.2=kubecluster.example.org
+# repeat the DNS.1 SAN here in the nameconstraint
+permitted;DNS.3=step-certificates.step-ca.svc.cluster.local
+# allow it to build certs for all nodenames in the cluster
+permitted;DNS.4=kubemaster.example.org
+permitted;DNS.5=kubenode01.example.org
+permitted;DNS.6=kubenode02.example.org
+EOF
+```
+
+
+
+$ ./easyrsa gen-req ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [DE]:
+State or Province Name (full name) [Internet]:Internet
+Locality Name (eg, city) [Internet]:NA
+Organization Name (eg, company) [Internet]: Internet
+Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org
+Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org
+Email Address [email@mail.de]:
+* Notice:
+
+Keypair and certificate request completed. Your files are:
+req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req
+key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key
+
+$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+
+You are about to sign the following certificate.
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+
+Request subject, to be signed as a k8s_ca certificate for 825 days:
+
+subject=
+ countryName = DE
+ stateOrProvinceName = Internet
+ localityName = NA
+ organizationName = Internet
+ organizationalUnitName = autocert-ca.kubecluster.example.org
+ commonName = autocert-ca.kubecluster.example.org
+ emailAddress = email@mail.de
+
+
+Type the word 'yes' to continue, or any other input to abort.
+ Confirm request details: yes
+
+Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe
+Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName :PRINTABLE:'DE'
+stateOrProvinceName :ASN.1 12:'Internet'
+localityName :ASN.1 12:'NA'
+organizationName :ASN.1 12:'Internet'
+organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org'
+commonName :ASN.1 12:'autocert-ca.kubecluster.example.org'
+emailAddress :IA5STRING:'email@mail.de'
+Certificate is to be certified until Jul 3 20:35:45 2025 GMT (825 days)
+
+Write out database with 1 new entries
+Data Base Updated
+
+* Notice:
+Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org
+
+$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb
+ Signature Algorithm: ED25519
+ Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de"
+ Validity
+ Not Before: Mar 31 20:35:45 2023 GMT
+ Not After : Jul 3 20:35:45 2025 GMT
+ Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de"
+ Subject Public Key Info:
+ Public Key Algorithm: ED25519
+ ED25519 Public-Key:
+ pub:
+ b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9:
+ 2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65:
+ 2f:27
+ X509v3 extensions:
+ X509v3 Authority Key Identifier:
+ keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8
+ DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de
+ serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73
+ X509v3 Basic Constraints: critical
+ CA:TRUE, pathlen:0
+ X509v3 Key Usage: critical
+ Certificate Sign, CRL Sign
+ X509v3 Subject Key Identifier:
+ 72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97
+ X509v3 Name Constraints: critical
+ Permitted:
+ DNS:.svc.cluster.local
+ DNS:svc.cluster.local
+ DNS:svc
+ DNS:.svc
+ DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+ X509v3 Subject Alternative Name: critical
+ DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+ Signature Algorithm: ED25519
+ Signature Value:
+ a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5:
+ 7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91:
+ 5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0:
+ 02:5f:44:2f:9a:00:c7:38:57:05
+
+
+
+
+```
+
+its not the end yet :)
projects / stejau-blog.git / commitdiff