From: stephan48 <stephan48@web>
Date: Fri, 30 Aug 2024 00:29:32 +0000 (+0200)
Subject: (no commit message)
X-Git-Url: https://blog.stejau.de/gitweb/gitweb.cgi?a=commitdiff_plain;h=9b1eb0ddbb8195ff2152744f92a95e0649e271a7;p=stejau-blog.git

---

diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
new file mode 100644
index 0000000..0f49ec1
--- /dev/null
+++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn
@@ -0,0 +1,201 @@
+....
+
+This is just a wip command by command play by play for now, i will add context and infos later(TM).
+
+random comments:
+
+- root$ denotes stuff done as root
+- $ denotes stuff done as normal user
+- you totally can use a different easy-rsa instance to generate your sub-ca, it does not need to be done in the root-ca "pki" - i will try to mark the points where you need to divert at a later time, essentially you need two easy-rsa instances(go figure, one with a ca build and one without - and then move the CSR/Finished cert between them)
+
+Relevant Domains:
+
+- kubecluster.example.org - subdomain your cluster should have
+- step-certificates.step-ca.svc.cluster.local - service and namespace under which your intermediate is reachable in the cluster
+- kubemaster.example.org - node fqdn
+- kubenode01.example.org - node fqdn
+- kubenode02.example.org - node fqdn
+- (add/remove more node fqdns)
+
+Derived domains:
+- ca.kubecluster.example.org - fqdn for your ca
+- .kubecluster.example.org - subdomain for your cluster including "children"
+
+
+You need a root ca managed by easy-rsa.
+Our first step is to create a template for our intermediate.
+
+
+
+```
+$ cd $CA_PATH
+$ cat > x509-types/ca.kubecluster.example.org <<EOF
+
+
+# CA_PATH_LEN for CA path length limits. You could also do this here
+# manually as in the following example in place of the existing line:
+#
+# basicConstraints = CA:TRUE, pathlen:0
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign, keyCertSign
+
+# this magic bit creates a subca which is not allowed to sign other CAs - nice fun :)
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, keyCertSign, cRLSign
+subjectKeyIdentifier = hash
+nameConstraints = critical,@nameconsts
+subjectAltName = critical,@sans
+
+[sans]
+# configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster
+DNS.0=ca.kubecluster.example.org
+# helm-release-name.namespace.svc.cluster-local
+DNS.1=step-certificates.step-ca.svc.cluster.local
+
+[nameconsts]
+# apparently ordered numbers are not needed :P
+permitted;DNS.0=.kubecluster.example.org
+permitted;DNS.2=kubecluster.example.org
+# repeat the DNS.1 SAN here in the nameconstraint
+permitted;DNS.3=step-certificates.step-ca.svc.cluster.local
+# allow it to build certs for all nodenames in the cluster
+permitted;DNS.4=kubemaster.example.org
+permitted;DNS.5=kubenode01.example.org
+permitted;DNS.6=kubenode02.example.org
+EOF
+```
+
+
+
+$ ./easyrsa gen-req ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [DE]:
+State or Province Name (full name) [Internet]:Internet
+Locality Name (eg, city) [Internet]:NA
+Organization Name (eg, company) [Internet]: Internet
+Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org
+Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org
+Email Address [email@mail.de]:
+* Notice:
+
+Keypair and certificate request completed. Your files are:
+req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req
+key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key
+
+$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org
+* Notice:
+Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars
+
+* Notice:
+Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
+
+
+You are about to sign the following certificate.
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+
+Request subject, to be signed as a k8s_ca certificate for 825 days:
+
+subject=
+    countryName               = DE
+    stateOrProvinceName       = Internet
+    localityName              = NA
+    organizationName          = Internet
+    organizationalUnitName    = autocert-ca.kubecluster.example.org
+    commonName                = autocert-ca.kubecluster.example.org
+    emailAddress              = email@mail.de
+
+
+Type the word 'yes' to continue, or any other input to abort.
+  Confirm request details: yes
+
+Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe
+Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'DE'
+stateOrProvinceName   :ASN.1 12:'Internet'
+localityName          :ASN.1 12:'NA'
+organizationName      :ASN.1 12:'Internet'
+organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org'
+commonName            :ASN.1 12:'autocert-ca.kubecluster.example.org'
+emailAddress          :IA5STRING:'email@mail.de'
+Certificate is to be certified until Jul  3 20:35:45 2025 GMT (825 days)
+
+Write out database with 1 new entries
+Data Base Updated
+
+* Notice:
+Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org
+
+$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb
+        Signature Algorithm: ED25519
+        Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de"
+        Validity
+            Not Before: Mar 31 20:35:45 2023 GMT
+            Not After : Jul  3 20:35:45 2025 GMT
+        Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de"
+        Subject Public Key Info:
+            Public Key Algorithm: ED25519
+                ED25519 Public-Key:
+                pub:
+                    b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9:
+                    2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65:
+                    2f:27
+        X509v3 extensions:
+            X509v3 Authority Key Identifier:
+                keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8
+                DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de
+                serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:0
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier:
+                72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97
+            X509v3 Name Constraints: critical
+                Permitted:
+                  DNS:.svc.cluster.local
+                  DNS:svc.cluster.local
+                  DNS:svc
+                  DNS:.svc
+                  DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+            X509v3 Subject Alternative Name: critical
+                DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local
+    Signature Algorithm: ED25519
+    Signature Value:
+        a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5:
+        7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91:
+        5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0:
+        02:5f:44:2f:9a:00:c7:38:57:05
+
+
+
+
+```
+
+its not the end yet :)