From 0bec212adb5ec9f595053aee8bf093fd5205be92 Mon Sep 17 00:00:00 2001 From: stephan48 Date: Fri, 31 Mar 2023 22:50:04 +0200 Subject: [PATCH] --- ...3-27-k8s-cluster-step-ca-from-scratch.mdwn | 136 +++++++++++++++++- 1 file changed, 133 insertions(+), 3 deletions(-) diff --git a/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn index 1785bc1..a80ad4c 100644 --- a/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn +++ b/posts/2023-03-27-k8s-cluster-step-ca-from-scratch.mdwn @@ -70,11 +70,14 @@ If you enter '.', the field will be left blank. Country Name (2 letter code) [DE]: State or Province Name (full name) [Internet]: Locality Name (eg, city) [Internet]: -Organization Name (eg, company) [SteJau]: XX +Organization Name (eg, company) [Internet]: XX Organizational Unit Name (eg, section) [K8s OU]: Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root-ca.example.org Email Address [XX]: +# it wants to have all relevant types in the pki x509-types dir, so we oblige +$ for i in x509-types/*; do ln -sr $i pki/x509-types/; done + $ vim pki/x509-types/k8s_ca # CA_PATH_LEN for CA path length limits. You could also do this here # manually as in the following example in place of the existing line: @@ -96,14 +99,14 @@ subjectAltName = critical,@sans # configure all the namespaces & aliases here - atleast what you used for the commonname of the subca(to be created) and the CA alias in the cluster DNS.0=cluster-ca.example.org # helm-release-name.namespace.svc.cluster-local -DNS.1=step-certificates-autocert.step-autocert.svc.cluster.local +DNS.1=step-certificates-autocert.step-ca-autocert.svc.cluster.local [nameconsts] # apparently ordered numbers are not needed :P permitted;DNS.0=.kubecluster.example.org permitted;DNS.2=kubecluster.example.org # repeat the DNS.1 SAN here in the nameconstraint -permitted;DNS.3=step-certificates-autocert.step-autocert.svc.cluster.local +permitted;DNS.3=step-certificates-autocert.step-ca-autocert.svc.cluster.local # allow it to build certs for all nodenames in the cluster permitted;DNS.4=kubemaster.example.org permitted;DNS.5=kubenode01.example.org @@ -144,6 +147,133 @@ permitted;DNS.1=svc.cluster.local permitted;DNS.2=svc permitted;DNS.3=.svc permitted;DNS.4=step-certificates-autocert.step-ca-autocert.svc.cluster.local +:wq + +$ ./easyrsa gen-req autocert-ca.kubecluster.example.org +* Notice: +Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars + +* Notice: +Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) + +Enter PEM pass phrase: +Verifying - Enter PEM pass phrase: +----- +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [DE]: +State or Province Name (full name) [Internet]:Internet +Locality Name (eg, city) [Internet]:NA +Organization Name (eg, company) [Internet]: Internet +Organizational Unit Name (eg, section) [K8s OU]:autocert-ca.kubecluster.example.org +Common Name (eg: your user, host, or server name) [autocert-ca.kubecluster.example.org]:autocert-ca.kubecluster.example.org +Email Address [email@mail.de]: +* Notice: + +Keypair and certificate request completed. Your files are: +req: /home/kind01/talos1-step-ca-autocert/pki/reqs/autocert-ca.kubecluster.example.org.req +key: /home/kind01/talos1-step-ca-autocert/pki/private/autocert-ca.kubecluster.example.org.key + +$ ./easyrsa sign-req k8s_ca autocert-ca.kubecluster.example.org +* Notice: +Using Easy-RSA configuration from: /home/kind01/talos1-step-ca-autocert/pki/vars + +* Notice: +Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023) + + +You are about to sign the following certificate. +Please check over the details shown below for accuracy. Note that this request +has not been cryptographically verified. Please be sure it came from a trusted +source or that you have verified the request checksum with the sender. + +Request subject, to be signed as a k8s_ca certificate for 825 days: + +subject= + countryName = DE + stateOrProvinceName = Internet + localityName = NA + organizationName = Internet + organizationalUnitName = autocert-ca.kubecluster.example.org + commonName = autocert-ca.kubecluster.example.org + emailAddress = email@mail.de + + +Type the word 'yes' to continue, or any other input to abort. + Confirm request details: yes + +Using configuration from /home/kind01/talos1-step-ca-autocert/pki/f9c9b30f/temp.d2f985fe +Enter pass phrase for /home/kind01/talos1-step-ca-autocert/pki/private/ca.key: +Check that the request matches the signature +Signature ok +The Subject's Distinguished Name is as follows +countryName :PRINTABLE:'DE' +stateOrProvinceName :ASN.1 12:'Internet' +localityName :ASN.1 12:'NA' +organizationName :ASN.1 12:'Internet' +organizationalUnitName:ASN.1 12:'autocert-ca.kubecluster.example.org' +commonName :ASN.1 12:'autocert-ca.kubecluster.example.org' +emailAddress :IA5STRING:'email@mail.de' +Certificate is to be certified until Jul 3 20:35:45 2025 GMT (825 days) + +Write out database with 1 new entries +Data Base Updated + +* Notice: +Certificate created at: /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org + +$ openssl x509 -in /home/kind01/talos1-step-ca-autocert/pki/issued/autocert-ca.kubecluster.example.org.crt -noout -text +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e4:d8:77:27:38:04:01:b4:38:92:7d:ea:1d:5a:fd:fb + Signature Algorithm: ED25519 + Issuer: C = DE, ST = Internet, L = Internet, O = Internet, OU = K8s OU, CN = ca.talos1-autocert-root.internal.kubecluster.example.org, emailAddress = "email@mail.de" + Validity + Not Before: Mar 31 20:35:45 2023 GMT + Not After : Jul 3 20:35:45 2025 GMT + Subject: C = DE, ST = Internet, L = NA, O = Internet, OU = autocert-ca.kubecluster.example.org, CN = autocert-ca.kubecluster.example.org, emailAddress = "email@mail.de" + Subject Public Key Info: + Public Key Algorithm: ED25519 + ED25519 Public-Key: + pub: + b9:27:d2:8f:3e:77:97:d0:2e:fa:d3:88:59:41:a9: + 2a:90:1d:eb:f6:e5:77:e1:72:9a:ac:f8:c3:37:65: + 2f:27 + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:F9:ED:D1:0C:5C:18:A8:AD:C7:79:05:00:B0:CA:CF:48:6B:96:56:B8 + DirName:/C=DE/ST=Internet/L=Internet/O=Internet/OU=K8s OU/CN=ca.talos1-autocert-root.internal.kubecluster.example.org/emailAddress=email@mail.de + serial:27:6D:88:DB:92:45:CF:B0:05:93:20:C2:22:6C:86:2A:2B:1E:39:73 + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 72:38:52:95:8C:5A:2E:F9:71:BE:3F:EB:F5:D5:AF:98:28:1B:C0:97 + X509v3 Name Constraints: critical + Permitted: + DNS:.svc.cluster.local + DNS:svc.cluster.local + DNS:svc + DNS:.svc + DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local + X509v3 Subject Alternative Name: critical + DNS:autocert-ca.kubecluster.example.org, DNS:step-certificates-autocert.step-ca-autocert.svc.cluster.local + Signature Algorithm: ED25519 + Signature Value: + a4:2f:d9:5f:ea:99:1d:3a:6c:e2:39:e1:79:7e:9c:02:2a:e5: + 7b:78:a3:52:3b:89:b4:a7:44:c0:29:f4:e3:7e:d0:b7:a5:91: + 5b:f5:4f:43:f9:c8:8e:db:c4:58:a3:b6:61:42:44:47:58:d0: + 02:5f:44:2f:9a:00:c7:38:57:05 + + ``` its not the end yet :) -- 2.30.2