Vault PKI Intermediate ca etcd Kubernetes the hard way v2: различия между версиями
Sirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
(не показаны 23 промежуточные версии этого же участника) | |||
Строка 4: | Строка 4: | ||
[[Категория:Linux]] |
[[Категория:Linux]] |
||
[[Категория:Kubernetes the hard way v2]] |
[[Категория:Kubernetes the hard way v2]] |
||
+ | [[Категория:etcd]] |
||
=Создание СА для работы кластера etcd= |
=Создание СА для работы кластера etcd= |
||
Строка 27: | Строка 28: | ||
=Генерация запроса на сертификат для промежуточного CA= |
=Генерация запроса на сертификат для промежуточного CA= |
||
+ | '''Важно - суффикс <code>internal</code> (k8s_pki_intermediate_ca_for_service_etcd/intermediate/generate/internal) означает что сертефикат нельзя будет использовать за пределами Vault''' |
||
+ | <BR>В этом примере и не планируется такое использование, но если такая необходимость есть то следует использовать суффикс ''''' exported ''''' |
||
<PRE> |
<PRE> |
||
vault \ |
vault \ |
||
write \ |
write \ |
||
− | -format=json |
+ | -format=json \ |
+ | k8s_pki_intermediate_ca_for_service_etcd/intermediate/generate/internal \ |
||
− | common_name="Intermediate CA for service ETCd" \ |
||
+ | common_name="Intermediate CA for service ETCd" \ |
||
− | country="Ukraine" \ |
||
− | + | country="Ukraine" \ |
|
+ | locality="Kharkov" \ |
||
− | street_address="Lui Pastera st. 322 app. 131" \ |
||
+ | street_address="Lui Pastera st. 322 app. 131" \ |
||
− | postal_code="61172" \ |
||
+ | postal_code="61172" \ |
||
− | organization="K8s The Hardest Way Labs" \ |
||
+ | organization="K8s The Hardest Way Labs" \ |
||
− | ou="IT" \ |
||
+ | ou="IT" \ |
||
− | ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_crs.json |
||
+ | ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_csr.json |
||
+ | </PRE> |
||
+ | |||
+ | Если используется экспортируемый сертификат то нужно сохранить ключ |
||
+ | <PRE> |
||
+ | cat \ |
||
+ | k8s_pki_intermediate_ca_for_service_etcd_csr.json | \ |
||
+ | jq -r '.data.private_key' >> k8s_pki_intermediate_ca_for_service_etcd_certificate.key |
||
</PRE> |
</PRE> |
||
Строка 44: | Строка 55: | ||
==Сырой вывод== |
==Сырой вывод== |
||
<PRE> |
<PRE> |
||
+ | cat k8s_pki_intermediate_ca_for_service_etcd_csr.json |
||
− | cat k8s_pki_intermediate_ca_for_service_etcd_crs.json |
||
</PRE> |
</PRE> |
||
{{#spoiler:show=CERTIFICATE REQUEST | |
{{#spoiler:show=CERTIFICATE REQUEST | |
||
Строка 180: | Строка 191: | ||
ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json |
ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json |
||
</PRE> |
</PRE> |
||
− | + | =="Сырой" результат== |
|
+ | <PRE> |
||
+ | cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json |
||
+ | </PRE> |
||
+ | {{#spoiler:show=Результат в "сыром виде"| |
||
<PRE> |
<PRE> |
||
{ |
{ |
||
− | "request_id": " |
+ | "request_id": "fbf7b67a-4301-86d0-4d3c-08f227ef8e9f", |
"lease_id": "", |
"lease_id": "", |
||
"lease_duration": 0, |
"lease_duration": 0, |
||
"renewable": false, |
"renewable": false, |
||
"data": { |
"data": { |
||
+ | "certificate": "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUT+T1Nm5/8WjEJmyXwSG7RlRtmJMwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAyMTYxNjU1WhcNNDIwOTI3MTYxNzI1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAw+BKXwFhQKQPN2oycnHz1OVaKt2wO/jSwlwIgL8Uqhsy\nl1aVsEwOGZl4WSg+8O6WZYjMzOk8Xv5DVNulHEec2RbzfCyeejE9N5HTKb6LEN5S\nX/81WyM6YfjRbZ+5BnqPdL8Mt8YbF04VzlOz5qREdNPIPmd8iwzCDEO0wNJp/2g3\n26DHwSqdC0GfmlDNqnUTVvnxHkk+Gsn7Zx6gfg2pcpu7hlpanNUftGNOt/UA6mSc\nIGNH1mnGX4OMFyHaqAljSWcPfvepoUqe0ZMOhkpEl6oI0EhigHyjwpzMULjp1JhP\nMGiTBBBThH3CgCT7Ixkja/wjQQkKcW2xgXueuQ27FwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRAf2zV00Ozzw9c\nludrrD8ZTYtJNDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAAGRmGgzdHM5w00Xos03Be0jat24CSQskVCAHFhV9dJN7v4YVuZUG\nHVsb2m0MQmw5b3WGo2J9lNqIO0ETgnzqvye+Zj3DcetYaHZ300Rpv5QFqQNdebQY\nO8MP03NvqPrlsscGmjWQ8swKRKIBjsIgVlQuWMK/30k5QXEX9Nys/p3gl+OfK6MA\nnhKE6vYOneNpXTHJOly/0boyNf+/+MkFgFeLbe/gxNgyJu8CVYfaGjQ4FQNqDoy3\nlMdepwKstmOo05m3/6qs6jEfVVjSf90hMbBbdelzpe3/ectYEc5ZqRdqNfeo5luR\nMYmvkBormMQyOa3qsXCOjcyxQZ4hvXIVJA==\n-----END CERTIFICATE-----", |
||
− | "certificate": "-----BEGIN CERTIFICATE-----\nMIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH\nVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg\nc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg\nTmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37\ncjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6\nWmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx\nf4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI\nnXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9\n0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC\nAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O\nBBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY\nZxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp\nJHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR\n3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d\n2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn\nvQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj\n0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH\n-----END CERTIFICATE-----", |
||
− | "expiration": |
+ | "expiration": 2295447445, |
+ | "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEdTCCA12gAwIBAgIUbJDrkNRfhm3Y+/j4oE0H+JkeYgIwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwIBcNMjIxMDAyMTQ1NjMyWhgPMjA1MjA5MjQxNDU3MDBaMIHAMRAwDgYD\nVQQGEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEz\nMTAaBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUw\nEwYDVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTcwNQYDVQQDEy5Sb290\nIENlcnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrIHYyMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx299heF9ca7N4qaFLTaFxDEiyLwR\nHMW9EOxodl0W4f62AN5PxCNI1CqXhGSIgCO9Yzy6QLdm9m8PtbcQiITYbhkInKBU\ne7ruwoiZYfvpQyJhvQH+8rAzVjtRrWNXuQDPYTiYEpTycbM5mrDR3yBeOT85/bxH\nkgJ+g8V7mpgstA9IbDNZDEmg5eco0Hgwn/LC4RM815x+mJV3QDb2mNcFIck1/t58\nF8T0GQ+OothQfOwC7tC+1qvlJjb35RP+Q3CRaJ5G3dFTDqTb0h8xY4B65wceOnnk\nOH7uwWCGpHwm0/KHyfI79sGvMz7S+mJeR8rxK5NFSzBHmHv4zaIZ54rEZwIDAQAB\no2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU\nAviFK3X44RxpKDAyIS2Gca+r7DwwHwYDVR0jBBgwFoAUAviFK3X44RxpKDAyIS2G\nca+r7DwwDQYJKoZIhvcNAQELBQADggEBAKYfcKf2Pgpc7BH3pN/axbtCw1oU8q4p\n5/KkyT6Q5XVxSvkO6GRn1V+uouofFhuriudbyB0eQo7X5z2+AuE3+juz3w/YGUFJ\nU/fGt+1WemBuxf3qtPdD6HtyHLF6SnCTh1OlZpILiXPNF6zHMXq4fRRVyEVWmkB0\nObRXEq0z5Fq0NHVU9cyxP67h99V6+N3ILNskEGmDqGwCtDyr7xesd638qN7xOTQo\n+2M0eqCV6nOdw6Z1xGmVK91kqEYEbFMgGLBCq53An7Fg/H44ytiztJqKIgxt/zY2\nPWuXBPK0nssQ5D87CWL1VDQIIVHYLS8xPQ1APWTF5M53u4h6t9mrM/U=\n-----END CERTIFICATE-----", |
||
− | "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEbzCCA1egAwIBAgIUBVXFmyCRZoaWQoS9ZprBcCiNv4IwDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswIBcNMjExMDEwMTI1ODAwWhgPMjA1MTEwMDMxMjU4MjdaMIG9MRAwDgYDVQQG\nEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEzMTAa\nBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUwEwYD\nVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTQwMgYDVQQDEytSb290IENl\ncnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtwCSvUyOLLPEE940N7Qgg5SK3+r2e5coIFK\njC2uYKwnbBLvpm9vYiN00MLVuIOAZqFQ6ljqGLMXSaZtg7nTC6UgwVxaVNZAVsHE\nYFm5C/3eDNQLA3qTzfAflCXuEQeGdPPoMeVmmU4DoInKPotlcznYaZHAE7puNSpg\n59nmW1PuvRJKuhrQcGDiZdxSnfjMDOz/29XjEqegkQSiQAHzHORak3Q3FjzhvyL+\nCqHd7s03K28pRxS1G2ZXmLV+ArVLVO606ZP6ye1OKMzcq2hC/ffA7okVLkZ2ZPis\nvoYdVEpKKdUtcVk0+PAL5fwcFBHYCIt5CqePa2Ews2makBLDKQIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU2zpzegMl\nLhdIRlhnGa2GLgQ96+wwHwYDVR0jBBgwFoAU2zpzegMlLhdIRlhnGa2GLgQ96+ww\nDQYJKoZIhvcNAQELBQADggEBAHFvVtRquCSd/BZHjBxZrMKSkDZf73NDx9cuILRL\n6T9XtKa0gqIovfKYB6FJ38cdYFpW/IVk59iXdfY2ZhoEq1eKQ9g8qpdyXj2FWdnT\ntivVqtZJrTUELCJSnGFqay/dunjMt6yc+m0eV2KPuJT5mDDVwQYkwBdYRv1uVZJv\nmBHYzShvksuQXV6Rs6q7/dD1MprtpIBafuZrXZgZcQSG3hjiODcP4mEK04HABh/n\n8KDFj/eQj8l01WgdM7SlRfz3jDWmOh2nahGlG+F72Cwqh1wTUNHHEJKMupiTIs2B\nsjCYRMVUw1A6MBY5kS8KrTizRMIZCLKjSQoVY4F8Y7lMjnw=\n-----END CERTIFICATE-----", |
||
− | "serial_number": " |
+ | "serial_number": "4f:e4:f5:36:6e:7f:f1:68:c4:26:6c:97:c1:21:bb:46:54:6d:98:93" |
}, |
}, |
||
"warnings": null |
"warnings": null |
||
} |
} |
||
</PRE> |
</PRE> |
||
+ | }} |
||
− | ====PEM Файл==== |
||
+ | |||
+ | ==PEM Файл== |
||
<PRE> |
<PRE> |
||
− | cat |
+ | cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json | jq -r .data.certificate > k8s_pki_intermediate_ca_for_service_etcd_certificate.pem |
</PRE> |
</PRE> |
||
<PRE> |
<PRE> |
||
-----BEGIN CERTIFICATE----- |
-----BEGIN CERTIFICATE----- |
||
+ | MIIE9TCCA92gAwIBAgIUT+T1Nm5/8WjEJmyXwSG7RlRtmJMwDQYJKoZIhvcNAQEL |
||
− | MIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL |
||
+ | BQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV |
||
− | BQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV |
||
BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE |
BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE |
||
+ | ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1 |
||
− | ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy |
||
+ | BgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv |
||
− | BgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv |
||
+ | cmsgdjIwHhcNMjIxMDAyMTYxNjU1WhcNNDIwOTI3MTYxNzI1WjCBtjEQMA4GA1UE |
||
− | cmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH |
||
+ | BhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl |
||
− | VWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg |
||
+ | cmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4 |
||
− | c3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg |
||
+ | cyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu |
||
− | TmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC |
||
+ | dGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF |
||
− | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37 |
||
+ | AAOCAQ8AMIIBCgKCAQEAw+BKXwFhQKQPN2oycnHz1OVaKt2wO/jSwlwIgL8Uqhsy |
||
− | cjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6 |
||
+ | l1aVsEwOGZl4WSg+8O6WZYjMzOk8Xv5DVNulHEec2RbzfCyeejE9N5HTKb6LEN5S |
||
− | WmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx |
||
+ | X/81WyM6YfjRbZ+5BnqPdL8Mt8YbF04VzlOz5qREdNPIPmd8iwzCDEO0wNJp/2g3 |
||
− | f4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI |
||
+ | 26DHwSqdC0GfmlDNqnUTVvnxHkk+Gsn7Zx6gfg2pcpu7hlpanNUftGNOt/UA6mSc |
||
− | nXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9 |
||
+ | IGNH1mnGX4OMFyHaqAljSWcPfvepoUqe0ZMOhkpEl6oI0EhigHyjwpzMULjp1JhP |
||
− | 0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC |
||
+ | MGiTBBBThH3CgCT7Ixkja/wjQQkKcW2xgXueuQ27FwIDAQABo4HuMIHrMA4GA1Ud |
||
− | AwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O |
||
+ | DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRAf2zV00Ozzw9c |
||
− | BBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY |
||
+ | ludrrD8ZTYtJNDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr |
||
− | Zxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp |
||
+ | BgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv |
||
− | JHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR |
||
+ | djEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92 |
||
− | 3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d |
||
+ | YXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B |
||
− | 2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn |
||
+ | AQsFAAOCAQEAAGRmGgzdHM5w00Xos03Be0jat24CSQskVCAHFhV9dJN7v4YVuZUG |
||
− | vQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj |
||
+ | HVsb2m0MQmw5b3WGo2J9lNqIO0ETgnzqvye+Zj3DcetYaHZ300Rpv5QFqQNdebQY |
||
− | 0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH |
||
+ | O8MP03NvqPrlsscGmjWQ8swKRKIBjsIgVlQuWMK/30k5QXEX9Nys/p3gl+OfK6MA |
||
+ | nhKE6vYOneNpXTHJOly/0boyNf+/+MkFgFeLbe/gxNgyJu8CVYfaGjQ4FQNqDoy3 |
||
+ | lMdepwKstmOo05m3/6qs6jEfVVjSf90hMbBbdelzpe3/ectYEc5ZqRdqNfeo5luR |
||
+ | MYmvkBormMQyOa3qsXCOjcyxQZ4hvXIVJA== |
||
-----END CERTIFICATE----- |
-----END CERTIFICATE----- |
||
</PRE> |
</PRE> |
||
− | + | ==Детали сертефиката== |
|
+ | <PRE> |
||
+ | openssl x509 -in k8s_pki_intermediate_ca_for_service_etcd_certificate.pem -noout -text |
||
+ | </PRE> |
||
<PRE> |
<PRE> |
||
− | openssl x509 -in intermediateCA.cert.pem -noout -text |
||
Certificate: |
Certificate: |
||
Data: |
Data: |
||
Version: 3 (0x2) |
Version: 3 (0x2) |
||
Serial Number: |
Serial Number: |
||
− | + | 4f:e4:f5:36:6e:7f:f1:68:c4:26:6c:97:c1:21:bb:46:54:6d:98:93 |
|
Signature Algorithm: sha256WithRSAEncryption |
Signature Algorithm: sha256WithRSAEncryption |
||
− | Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network |
+ | Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2 |
Validity |
Validity |
||
− | Not Before: Oct |
+ | Not Before: Oct 2 16:16:55 2022 GMT |
− | Not After : |
+ | Not After : Sep 27 16:17:25 2042 GMT |
− | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = |
+ | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
Subject Public Key Info: |
Subject Public Key Info: |
||
Public Key Algorithm: rsaEncryption |
Public Key Algorithm: rsaEncryption |
||
RSA Public-Key: (2048 bit) |
RSA Public-Key: (2048 bit) |
||
Modulus: |
Modulus: |
||
− | 00: |
+ | 00:c3:e0:4a:5f:01:61:40:a4:0f:37:6a:32:72:71: |
− | + | f3:d4:e5:5a:2a:dd:b0:3b:f8:d2:c2:5c:08:80:bf: |
|
− | + | 14:aa:1b:32:97:56:95:b0:4c:0e:19:99:78:59:28: |
|
− | + | 3e:f0:ee:96:65:88:cc:cc:e9:3c:5e:fe:43:54:db: |
|
− | + | a5:1c:47:9c:d9:16:f3:7c:2c:9e:7a:31:3d:37:91: |
|
− | + | d3:29:be:8b:10:de:52:5f:ff:35:5b:23:3a:61:f8: |
|
− | + | d1:6d:9f:b9:06:7a:8f:74:bf:0c:b7:c6:1b:17:4e: |
|
− | + | 15:ce:53:b3:e6:a4:44:74:d3:c8:3e:67:7c:8b:0c: |
|
− | + | c2:0c:43:b4:c0:d2:69:ff:68:37:db:a0:c7:c1:2a: |
|
− | + | 9d:0b:41:9f:9a:50:cd:aa:75:13:56:f9:f1:1e:49: |
|
− | + | 3e:1a:c9:fb:67:1e:a0:7e:0d:a9:72:9b:bb:86:5a: |
|
− | + | 5a:9c:d5:1f:b4:63:4e:b7:f5:00:ea:64:9c:20:63: |
|
− | + | 47:d6:69:c6:5f:83:8c:17:21:da:a8:09:63:49:67: |
|
− | 0f: |
+ | 0f:7e:f7:a9:a1:4a:9e:d1:93:0e:86:4a:44:97:aa: |
− | d0: |
+ | 08:d0:48:62:80:7c:a3:c2:9c:cc:50:b8:e9:d4:98: |
− | + | 4f:30:68:93:04:10:53:84:7d:c2:80:24:fb:23:19: |
|
− | + | 23:6b:fc:23:41:09:0a:71:6d:b1:81:7b:9e:b9:0d: |
|
− | + | bb:17 |
|
Exponent: 65537 (0x10001) |
Exponent: 65537 (0x10001) |
||
X509v3 extensions: |
X509v3 extensions: |
||
Строка 271: | Строка 294: | ||
CA:TRUE |
CA:TRUE |
||
X509v3 Subject Key Identifier: |
X509v3 Subject Key Identifier: |
||
− | + | 40:7F:6C:D5:D3:43:B3:CF:0F:5C:96:E7:6B:AC:3F:19:4D:8B:49:34 |
|
X509v3 Authority Key Identifier: |
X509v3 Authority Key Identifier: |
||
− | keyid: |
+ | keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C |
+ | |||
+ | Authority Information Access: |
||
+ | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_root_ca/ca |
||
+ | |||
+ | X509v3 CRL Distribution Points: |
||
+ | |||
+ | Full Name: |
||
+ | URI:http://vault.home:8200/v1/k8s_pki_root_ca/crl |
||
Signature Algorithm: sha256WithRSAEncryption |
Signature Algorithm: sha256WithRSAEncryption |
||
− | + | 00:64:66:1a:0c:dd:1c:ce:70:d3:45:e8:b3:4d:c1:7b:48:da: |
|
− | + | b7:6e:02:49:0b:24:54:20:07:16:15:7d:74:93:7b:bf:86:15: |
|
− | + | b9:95:06:1d:5b:1b:da:6d:0c:42:6c:39:6f:75:86:a3:62:7d: |
|
− | + | 94:da:88:3b:41:13:82:7c:ea:bf:27:be:66:3d:c3:71:eb:58: |
|
− | + | 68:76:77:d3:44:69:bf:94:05:a9:03:5d:79:b4:18:3b:c3:0f: |
|
− | + | d3:73:6f:a8:fa:e5:b2:c7:06:9a:35:90:f2:cc:0a:44:a2:01: |
|
− | + | 8e:c2:20:56:54:2e:58:c2:bf:df:49:39:41:71:17:f4:dc:ac: |
|
− | + | fe:9d:e0:97:e3:9f:2b:a3:00:9e:12:84:ea:f6:0e:9d:e3:69: |
|
− | + | 5d:31:c9:3a:5c:bf:d1:ba:32:35:ff:bf:f8:c9:05:80:57:8b: |
|
− | + | 6d:ef:e0:c4:d8:32:26:ef:02:55:87:da:1a:34:38:15:03:6a: |
|
− | + | 0e:8c:b7:94:c7:5e:a7:02:ac:b6:63:a8:d3:99:b7:ff:aa:ac: |
|
− | + | ea:31:1f:55:58:d2:7f:dd:21:31:b0:5b:75:e9:73:a5:ed:ff: |
|
− | + | 79:cb:58:11:ce:59:a9:17:6a:35:f7:a8:e6:5b:91:31:89:af: |
|
− | + | 90:1a:2b:98:c4:32:39:ad:ea:b1:70:8e:8d:cc:b1:41:9e:21: |
|
− | + | bd:72:15:24 |
|
</PRE> |
</PRE> |
||
+ | ==Валидация с помошью корневого CA== |
||
+ | * '''k8s_root_certificate.pem''' это файл корневого СА (получен при создании корневого сертификата [[Vault_PKI_Kubernetes_the_hard_way_v2_Root_CA#.D0.9F.D0.BE.D0.B4.D0.B3.D0.BE.D1.82.D0.BE.D0.B2.D0.BA.D0.B0_.D1.84.D0.B0.D0.B9.D0.BB.D0.BE.D0.B2_.D1.81_.D1.81.D0.B5.D1.80.D1.82.D0.B5.D1.84.D0.B8.D0.BA.D0.B0.D1.82.D0.BE.D0.BC_.D0.B8_.D0.BA.D0.BB.D1.8E.D1.87.D0.B5.D0.BC|Корневой CA]]) |
||
+ | * В общем случае этот файл НЕ ЯВЛЯЕТСЯ секретными и всегда должен быть доступен для получения так как именно с ним происходит проверка сертификатов |
||
− | ====Валидация с помошью корневого CA==== |
||
<PRE> |
<PRE> |
||
+ | echo "-----BEGIN CERTIFICATE-----" > k8s_root_certificate.pem && curl "http://vault.home:8200/v1/k8s_pki_root_ca/ca" | base64 >> k8s_root_certificate.pem && echo "-----END CERTIFICATE-----" >> k8s_root_certificate.pem |
||
− | openssl verify -verbose -CAfile rootCA.pem intermediateCA.cert.pem |
||
− | intermediateCA.cert.pem: OK |
||
</PRE> |
</PRE> |
||
− | ===Конфигурация Vault для использования промежуточного CA=== |
||
− | ====Загрузка промежуточного сертефиката==== |
||
<PRE> |
<PRE> |
||
+ | openssl \ |
||
− | vault write pki_intermediate_ca/intermediate/set-signed \ |
||
+ | verify \ |
||
− | certificate=@intermediateCA.cert.pem |
||
+ | -verbose \ |
||
+ | -CAfile k8s_root_certificate.pem \ |
||
+ | k8s_pki_intermediate_ca_for_service_etcd_certificate.pem</PRE> |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | k8s_pki_intermediate_ca_for_service_etcd_certificate.pem: OK |
||
+ | </PRE> |
||
+ | |||
+ | ==Валидация ключа== |
||
+ | Для того что бы проверить подходит ли ключ к сертификату нужно выполнить 2 команды, результат должен совпасть |
||
+ | <PRE> |
||
+ | openssl rsa -noout -modulus -in k8s_pki_intermediate_ca_for_service_etcd_certificate.key | openssl md5 |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | (stdin)= c026a652ba528c71304454f4088b0669 |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | openssl x509 -noout -modulus -in k8s_pki_intermediate_ca_for_service_etcd_certificate.pem | openssl md5 |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | (stdin)= c026a652ba528c71304454f4088b0669 |
||
+ | </PRE> |
||
+ | |||
+ | =Конфигурация Vault для использования промежуточного CA= |
||
+ | ==Загрузка промежуточного сертефиката== |
||
+ | * '''k8s_pki_intermediate_ca_for_service_etcd_certificate.pem''' - имя файла (сохранен на предыдущем шаге) |
||
+ | |||
+ | <PRE> |
||
+ | vault \ |
||
+ | write \ |
||
+ | k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed \ |
||
+ | certificate=@k8s_pki_intermediate_ca_for_service_etcd_certificate.pem</PRE> |
||
+ | |||
+ | <PRE> |
||
+ | Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed |
||
+ | </PRE> |
||
+ | |||
+ | Если же использовался экспортируемый сертификат то требуется добавить ключ |
||
+ | <PRE> |
||
+ | vault \ |
||
+ | write \ |
||
+ | k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed \ |
||
+ | certificate=@k8s_pki_intermediate_ca_for_service_etcd_certificate.pem \ |
||
+ | key=@k8s_pki_intermediate_ca_for_service_etcd_certificate.key |
||
</PRE> |
</PRE> |
||
− | + | ==Configure URLs== |
|
<PRE> |
<PRE> |
||
− | vault write |
+ | vault write k8s_pki_intermediate_ca_for_service_etcd/config/urls \ |
− | issuing_certificates="http://vault.home:8200/v1/ |
+ | issuing_certificates="http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca" \ |
− | crl_distribution_points="http://vault.home:8200/v1/ |
+ | crl_distribution_points="http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl" |
</PRE> |
</PRE> |
Текущая версия на 19:50, 14 ноября 2022
Создание СА для работы кластера etcd
Эта страница - часть большой статьи про CA используемые в k8s: Vault_PKI_Kubernetes_the_hard_way_v2
Задача - настроить промежуточный СА для работы сервиса etcd
Конфигурация Vault
- Стараюсь именовать path более-менее осмысленно (k8s_pki_intermediate_ca_for_service_etcd)
- PKI (последняя строка) здесь - это тип секрета
vault \ secrets \ enable \ -path=k8s_pki_intermediate_ca_for_service_etcd \ -description="PKI Intermediate CA for ETCd service" \ -max-lease-ttl="175200h" \ pki
Success! Enabled the pki secrets engine at: k8s_pki_intermediate_ca_for_service_etcd/
Генерация запроса на сертификат для промежуточного CA
Важно - суффикс internal
(k8s_pki_intermediate_ca_for_service_etcd/intermediate/generate/internal) означает что сертефикат нельзя будет использовать за пределами Vault
В этом примере и не планируется такое использование, но если такая необходимость есть то следует использовать суффикс exported
vault \ write \ -format=json \ k8s_pki_intermediate_ca_for_service_etcd/intermediate/generate/internal \ common_name="Intermediate CA for service ETCd" \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st. 322 app. 131" \ postal_code="61172" \ organization="K8s The Hardest Way Labs" \ ou="IT" \ ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_csr.json
Если используется экспортируемый сертификат то нужно сохранить ключ
cat \ k8s_pki_intermediate_ca_for_service_etcd_csr.json | \ jq -r '.data.private_key' >> k8s_pki_intermediate_ca_for_service_etcd_certificate.key
Просмотр результатов
Сырой вывод
cat k8s_pki_intermediate_ca_for_service_etcd_csr.json
Сохранить запрос в файл
- Проверить что вышло в более-менее читаемом формате (на первый взгляд выглядит корректно)
cat k8s_pki_intermediate_ca_for_service_etcd_csr.json | jq -r .data.csr
-----BEGIN CERTIFICATE REQUEST----- MIIC/DCCAeQCAQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr b3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNV BBETBTYxMTcyMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJ BgNVBAsTAklUMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2Ug RVRDZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPgSl8BYUCkDzdq MnJx89TlWirdsDv40sJcCIC/FKobMpdWlbBMDhmZeFkoPvDulmWIzMzpPF7+Q1Tb pRxHnNkW83wsnnoxPTeR0ym+ixDeUl//NVsjOmH40W2fuQZ6j3S/DLfGGxdOFc5T s+akRHTTyD5nfIsMwgxDtMDSaf9oN9ugx8EqnQtBn5pQzap1E1b58R5JPhrJ+2ce oH4NqXKbu4ZaWpzVH7RjTrf1AOpknCBjR9Zpxl+DjBch2qgJY0lnD373qaFKntGT DoZKRJeqCNBIYoB8o8KczFC46dSYTzBokwQQU4R9woAk+yMZI2v8I0EJCnFtsYF7 nrkNuxcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAciGGKja/BVKEfe0qwvl7u itik2Evmp0pOFbxaajgEOztIms/a9GEanFM1HOLVlvehZWBjYUv/D5E1SNNfyIrV YCVvq0PViXB92el98sI9CYI7BkHQT8l7EMepehVgZbJ6pHzic7S4fxNB9Gcza10O FsuallqiCYndR2Ps/fOXbm40OAP+BndIuvjVcIRlXSIWTl910DORxysyP9otf3PG cW8kWMbAcHeMtlgPdS/ebG65WNzjSOws+ty9t4+wWMO6xI5rDTEhCdObsIJdhGaZ NPi9bcG017rJUwrNz7dHvpAFv0k+tsbJLmUaRwut+Gpk5Wr4pu4YAXhwuwwpdf64 -----END CERTIFICATE REQUEST-----
Сохранить в файл только нужную часть:
cat k8s_pki_intermediate_ca_for_service_etcd_csr.json | jq -r .data.csr > k8s_pki_intermediate_ca_for_service_etcd.csr
- Проверить более подробно
openssl req -in k8s_pki_intermediate_ca_for_service_etcd.csr -text
Генерация сертификата по запросу
- @ k8s_pki_intermediate_ca_for_service_etcd.csr - имя файла (с префиксом @) в котором сохранен запрос на создание сертификата с предыдущего шага
Создание сертефиката CA на основании запроса
vault \ write \ -format=json \ k8s_pki_root_ca/root/sign-intermediate \ csr=@k8s_pki_intermediate_ca_for_service_etcd.csr \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st. 322 app. 131" \ postal_code="61172" \ organization="K8s The Hardest Way Labs" \ ou="IT" \ format=pem_bundle \ ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json
"Сырой" результат
cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json
PEM Файл
cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json | jq -r .data.certificate > k8s_pki_intermediate_ca_for_service_etcd_certificate.pem
-----BEGIN CERTIFICATE----- MIIE9TCCA92gAwIBAgIUT+T1Nm5/8WjEJmyXwSG7RlRtmJMwDQYJKoZIhvcNAQEL BQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1 BgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv cmsgdjIwHhcNMjIxMDAyMTYxNjU1WhcNNDIwOTI3MTYxNzI1WjCBtjEQMA4GA1UE BhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl cmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4 cyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu dGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAw+BKXwFhQKQPN2oycnHz1OVaKt2wO/jSwlwIgL8Uqhsy l1aVsEwOGZl4WSg+8O6WZYjMzOk8Xv5DVNulHEec2RbzfCyeejE9N5HTKb6LEN5S X/81WyM6YfjRbZ+5BnqPdL8Mt8YbF04VzlOz5qREdNPIPmd8iwzCDEO0wNJp/2g3 26DHwSqdC0GfmlDNqnUTVvnxHkk+Gsn7Zx6gfg2pcpu7hlpanNUftGNOt/UA6mSc IGNH1mnGX4OMFyHaqAljSWcPfvepoUqe0ZMOhkpEl6oI0EhigHyjwpzMULjp1JhP MGiTBBBThH3CgCT7Ixkja/wjQQkKcW2xgXueuQ27FwIDAQABo4HuMIHrMA4GA1Ud DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRAf2zV00Ozzw9c ludrrD8ZTYtJNDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr BgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv djEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92 YXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B AQsFAAOCAQEAAGRmGgzdHM5w00Xos03Be0jat24CSQskVCAHFhV9dJN7v4YVuZUG HVsb2m0MQmw5b3WGo2J9lNqIO0ETgnzqvye+Zj3DcetYaHZ300Rpv5QFqQNdebQY O8MP03NvqPrlsscGmjWQ8swKRKIBjsIgVlQuWMK/30k5QXEX9Nys/p3gl+OfK6MA nhKE6vYOneNpXTHJOly/0boyNf+/+MkFgFeLbe/gxNgyJu8CVYfaGjQ4FQNqDoy3 lMdepwKstmOo05m3/6qs6jEfVVjSf90hMbBbdelzpe3/ectYEc5ZqRdqNfeo5luR MYmvkBormMQyOa3qsXCOjcyxQZ4hvXIVJA== -----END CERTIFICATE-----
Детали сертефиката
openssl x509 -in k8s_pki_intermediate_ca_for_service_etcd_certificate.pem -noout -text
Certificate: Data: Version: 3 (0x2) Serial Number: 4f:e4:f5:36:6e:7f:f1:68:c4:26:6c:97:c1:21:bb:46:54:6d:98:93 Signature Algorithm: sha256WithRSAEncryption Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2 Validity Not Before: Oct 2 16:16:55 2022 GMT Not After : Sep 27 16:17:25 2042 GMT Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c3:e0:4a:5f:01:61:40:a4:0f:37:6a:32:72:71: f3:d4:e5:5a:2a:dd:b0:3b:f8:d2:c2:5c:08:80:bf: 14:aa:1b:32:97:56:95:b0:4c:0e:19:99:78:59:28: 3e:f0:ee:96:65:88:cc:cc:e9:3c:5e:fe:43:54:db: a5:1c:47:9c:d9:16:f3:7c:2c:9e:7a:31:3d:37:91: d3:29:be:8b:10:de:52:5f:ff:35:5b:23:3a:61:f8: d1:6d:9f:b9:06:7a:8f:74:bf:0c:b7:c6:1b:17:4e: 15:ce:53:b3:e6:a4:44:74:d3:c8:3e:67:7c:8b:0c: c2:0c:43:b4:c0:d2:69:ff:68:37:db:a0:c7:c1:2a: 9d:0b:41:9f:9a:50:cd:aa:75:13:56:f9:f1:1e:49: 3e:1a:c9:fb:67:1e:a0:7e:0d:a9:72:9b:bb:86:5a: 5a:9c:d5:1f:b4:63:4e:b7:f5:00:ea:64:9c:20:63: 47:d6:69:c6:5f:83:8c:17:21:da:a8:09:63:49:67: 0f:7e:f7:a9:a1:4a:9e:d1:93:0e:86:4a:44:97:aa: 08:d0:48:62:80:7c:a3:c2:9c:cc:50:b8:e9:d4:98: 4f:30:68:93:04:10:53:84:7d:c2:80:24:fb:23:19: 23:6b:fc:23:41:09:0a:71:6d:b1:81:7b:9e:b9:0d: bb:17 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 40:7F:6C:D5:D3:43:B3:CF:0F:5C:96:E7:6B:AC:3F:19:4D:8B:49:34 X509v3 Authority Key Identifier: keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C Authority Information Access: CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_root_ca/ca X509v3 CRL Distribution Points: Full Name: URI:http://vault.home:8200/v1/k8s_pki_root_ca/crl Signature Algorithm: sha256WithRSAEncryption 00:64:66:1a:0c:dd:1c:ce:70:d3:45:e8:b3:4d:c1:7b:48:da: b7:6e:02:49:0b:24:54:20:07:16:15:7d:74:93:7b:bf:86:15: b9:95:06:1d:5b:1b:da:6d:0c:42:6c:39:6f:75:86:a3:62:7d: 94:da:88:3b:41:13:82:7c:ea:bf:27:be:66:3d:c3:71:eb:58: 68:76:77:d3:44:69:bf:94:05:a9:03:5d:79:b4:18:3b:c3:0f: d3:73:6f:a8:fa:e5:b2:c7:06:9a:35:90:f2:cc:0a:44:a2:01: 8e:c2:20:56:54:2e:58:c2:bf:df:49:39:41:71:17:f4:dc:ac: fe:9d:e0:97:e3:9f:2b:a3:00:9e:12:84:ea:f6:0e:9d:e3:69: 5d:31:c9:3a:5c:bf:d1:ba:32:35:ff:bf:f8:c9:05:80:57:8b: 6d:ef:e0:c4:d8:32:26:ef:02:55:87:da:1a:34:38:15:03:6a: 0e:8c:b7:94:c7:5e:a7:02:ac:b6:63:a8:d3:99:b7:ff:aa:ac: ea:31:1f:55:58:d2:7f:dd:21:31:b0:5b:75:e9:73:a5:ed:ff: 79:cb:58:11:ce:59:a9:17:6a:35:f7:a8:e6:5b:91:31:89:af: 90:1a:2b:98:c4:32:39:ad:ea:b1:70:8e:8d:cc:b1:41:9e:21: bd:72:15:24
Валидация с помошью корневого CA
- k8s_root_certificate.pem это файл корневого СА (получен при создании корневого сертификата Корневой CA)
- В общем случае этот файл НЕ ЯВЛЯЕТСЯ секретными и всегда должен быть доступен для получения так как именно с ним происходит проверка сертификатов
echo "-----BEGIN CERTIFICATE-----" > k8s_root_certificate.pem && curl "http://vault.home:8200/v1/k8s_pki_root_ca/ca" | base64 >> k8s_root_certificate.pem && echo "-----END CERTIFICATE-----" >> k8s_root_certificate.pem
openssl \ verify \ -verbose \ -CAfile k8s_root_certificate.pem \ k8s_pki_intermediate_ca_for_service_etcd_certificate.pem
k8s_pki_intermediate_ca_for_service_etcd_certificate.pem: OK
Валидация ключа
Для того что бы проверить подходит ли ключ к сертификату нужно выполнить 2 команды, результат должен совпасть
openssl rsa -noout -modulus -in k8s_pki_intermediate_ca_for_service_etcd_certificate.key | openssl md5
(stdin)= c026a652ba528c71304454f4088b0669
openssl x509 -noout -modulus -in k8s_pki_intermediate_ca_for_service_etcd_certificate.pem | openssl md5
(stdin)= c026a652ba528c71304454f4088b0669
Конфигурация Vault для использования промежуточного CA
Загрузка промежуточного сертефиката
- k8s_pki_intermediate_ca_for_service_etcd_certificate.pem - имя файла (сохранен на предыдущем шаге)
vault \ write \ k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed \ certificate=@k8s_pki_intermediate_ca_for_service_etcd_certificate.pem
Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed
Если же использовался экспортируемый сертификат то требуется добавить ключ
vault \ write \ k8s_pki_intermediate_ca_for_service_etcd/intermediate/set-signed \ certificate=@k8s_pki_intermediate_ca_for_service_etcd_certificate.pem \ key=@k8s_pki_intermediate_ca_for_service_etcd_certificate.key
Configure URLs
vault write k8s_pki_intermediate_ca_for_service_etcd/config/urls \ issuing_certificates="http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca" \ crl_distribution_points="http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl"