From: stephan48 Date: Sun, 1 Sep 2024 00:54:49 +0000 (+0200) Subject: (no commit message) X-Git-Url: https://blog.stejau.de/gitweb/gitweb.cgi?a=commitdiff_plain;h=aac103b39f490742aea1f90d24ed86dc6ea3e153;p=stejau-blog.git --- diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn index 0f49ec1..e1c90b0 100644 --- a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn +++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn @@ -24,8 +24,7 @@ Derived domains: You need a root ca managed by easy-rsa. Our first step is to create a template for our intermediate. - - +This will need be run on the CA side. ``` $ cd $CA_PATH @@ -68,134 +67,99 @@ EOF ``` +The next commands need to run on the node preparing the step-ca config: -$ ./easyrsa gen-req ca.kubecluster.example.org +``` +$ make-ca cluster-step-ca +$ cd cluster-step-ca +$ ./easyrsa init-pki +$ pwgen -s 50 1 > ./intermediate-pw +$ EASYRSA_CN=ca.kubecluster.example.org EASYRSA_ALGO=ec EASYRSA_PASSOUT=file:./intermediate-pw ./easyrsa gen-req ca.kubecluster.example.org batch * Notice: -Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars +Using Easy-RSA configuration from: /home/k3s-rootless-experiments/dev/tmp/talos1-home-easy-rsa/vars + +* WARNING: + + Move your vars file to your PKI folder, where it is safe! * Notice: -Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) +Using SSL: openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) -Enter PEM pass phrase: -Verifying - Enter PEM pass phrase: ------ -You are about to be asked to enter information that will be incorporated -into your certificate request. -What you are about to enter is what is called a Distinguished Name or a DN. -There are quite a few fields but you can leave some blank -For some fields there will be a default value, -If you enter '.', the field will be left blank. ----- -Country Name (2 letter code) [DE]: -State or Province Name (full name) [Internet]:Internet -Locality Name (eg, city) [Internet]:NA -Organization Name (eg, company) [Internet]: Internet -Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org -Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org -Email Address [email@mail.de]: * Notice: Keypair and certificate request completed. Your files are: -req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req -key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key +req: /home/k3s-rootless-experiments/dev/tmp/talos1-home-easy-rsa/pki/reqs/ca.kubecluster.example.org.req +key: /home/k3s-rootless-experiments/dev/tmp/talos1-home-easy-rsa/pki/private/ca.kubecluster.example.org.key -$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org -* Notice: -Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars +``` -* Notice: -Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) +We now have a request we copy over to the CA, with which we can then generate the signed intermediate cert. + + +``` +$ cd $CA_DIR +$ # copy the generated req to ca.kubecluster.example.org.req to this dir +$ ./easyrsa import-req ./ca.kubecluster.example.org.csr.pem ca.kubecluster.example.org +$ ./easyrsa sign-req ca.kubecluster.example.org ca.kubecluster.example.org +* No Easy-RSA 'vars' configuration file exists! +* Using SSL: openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. -Request subject, to be signed as a k8s_ca certificate for 825 days: +Request subject, to be signed as a ca.kubecluster.home.stejau.vpn certificate for 825 days: subject= - countryName = DE - stateOrProvinceName = Internet - localityName = NA - organizationName = Internet - organizationalUnitName = autocert-ca.kubecluster.example.org - commonName = autocert-ca.kubecluster.example.org - emailAddress = email@mail.de + commonName = ca.kubecluster.example.org Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes -Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe -Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key: +Using configuration from /root/vpnint-easy-rsa/easyrsa3/pki/98b8aa22/temp.5.x +Enter pass phrase for /root/vpnint-easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows -countryName :PRINTABLE:'DE' -stateOrProvinceName :ASN.1 12:'Internet' -localityName :ASN.1 12:'NA' -organizationName :ASN.1 12:'Internet' -organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org' -commonName :ASN.1 12:'autocert-ca.kubecluster.example.org' -emailAddress :IA5STRING:'email@mail.de' -Certificate is to be certified until Jul 3 20:35:45 2025 GMT (825 days) +commonName :ASN.1 12:'ca.kubecluster.example.org' +Certificate is to be certified until Dec 4 22:53:17 2026 GMT (825 days) Write out database with 1 new entries -Data Base Updated +Database updated -* Notice: -Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org - -$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb - Signature Algorithm: ED25519 - Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de" - Validity - Not Before: Mar 31 20:35:45 2023 GMT - Not After : Jul 3 20:35:45 2025 GMT - Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de" - Subject Public Key Info: - Public Key Algorithm: ED25519 - ED25519 Public-Key: - pub: - b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9: - 2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65: - 2f:27 - X509v3 extensions: - X509v3 Authority Key Identifier: - keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8 - DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de - serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73 - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - 72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97 - X509v3 Name Constraints: critical - Permitted: - DNS:.svc.cluster.local - DNS:svc.cluster.local - DNS:svc - DNS:.svc - DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local - X509v3 Subject Alternative Name: critical - DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local - Signature Algorithm: ED25519 - Signature Value: - a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5: - 7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91: - 5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0: - 02:5f:44:2f:9a:00:c7:38:57:05 +Notice +------ +Certificate created at: +* /root/vpnint-easy-rsa/easyrsa3/pki/issued/ca.kubecluster.example.org.crt + + +$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/ca.kubecluster.example.org.crt -noout -text +... + + +``` +The generated cert should contain all the SANs/name constraints from the template. +We continue on the step-ca host: ``` -its not the end yet :) +$ # Copy the signed cert into pki/issued/ca.kubecluster.example.org.crt. +$ # Copy the root ca crt from pk/ca.crt into pki/ca.crt +$ pwgen -s 50 1 > pwd +$ step ca init --password-file=pwd --provisioner-password-file=pwd --name=test1 --key-password-file=pwd --deployment-type=standalone --dns ca.kubecluster.home.stejau.vpn --dns ca.kubecluster.fritz.box --dns step-certificates.step-ca.svc.cluster.local --address=:9000 --provisioner=step-ca-issuer --helm > test1.yaml +$ cat ./test1.yaml | yq -o json | jq --arg fingerprint "$(openssl x509 -in pki/ca.crt -noout -fingerprint -sha256 | sed 's/.*=//; s/://g')" --rawfile root_ca_crt pki/ca.crt --rawfile intermediate_ca_pw ./intermediate-pw --rawfile intermediate_ca_key pki/private/ca.kubecluster.home.stejau.vpn.key --rawfile intermediate_ca_crt pki/issued/ca.kubecluster.home.stejau.vpn.crt '.inject.certificates.root_ca = $root_ca_crt | .inject.secrets.x509.root_ca_key = null | .inject.certificates.intermediate_ca = $intermediate_ca_crt | .inject.secrets.x509.intermediate_ca_key = $intermediate_ca_key | .inject.secrets.ca_password = ($intermediate_ca_pw | @base64) | .inject.secrets.provisioner_password = null | .inject.config.files["defaults.json"].fingerprint = $fingerprint' | yq -o yaml -P | tee test2.yaml + +$ # you now have the step-ca config inside test2.yaml. + +``` + + +Caveat: +* it might be that x509-types in a modern easy-rsa install is under pki/ instead of in the same dir as the easy-rsa script