Создание Корневого СА (Root CA)
Эта страница - часть большой статьи про CA используемые в k8s: Vault_PKI_Kubernetes_the_hard_way_v2
Включить PKI для корневого сертификата
vault \
secrets \
enable \
-path=k8s_pki_root_ca \
-description="PKI k8s Root CA" \
-max-lease-ttl="262800h" \
pki
Success! Enabled the pki secrets engine at: k8s_pki_root_ca/
Проверить созданный endpoint
vault secrets list | grep k8s_pki
k8s_pki_root_ca/ pki pki_8b6cae1e PKI k8s Root CA
Создание корневого сертефиката (CA)
Конфигурация Vault
- ВАЖНО: Тип определяет будет ли показан ключ от сертификата. В случае internal ключ показа не будет и сертификат можно будет использовать только в Vault
TYPE="exported"
#TYPE="internal"
vault write -format=json pki_root_ca/root/generate/${TYPE} \
common_name="Root Certificate Authority for Home Network" \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera St. 322, app. 131" \
postal_code="61172" \
organization="Home Network" \
ou="IT" \
ttl="262800h" > pki-root-ca.json
Просмотр результата
Результат работы команды (длинный вывод пропущен):
cat pki-root-ca.json
{
"request_id": "a73f7190-acff-a3da-4a73-32c41546984c",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEdT29yaz ...
"expiration": 2610802620,
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEd29yazE ...
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpc ...
"private_key_type": "rsa",
"serial_number": "6c:90:eb:90:d4:5f:86:6d:d8:fb:f8:f8:a0:4d:07:f8:99:1e:62:02"
},
"warnings": null
}
Корневой сертефикат самоподписаный. Поля certificate и issuing_ca полностью совпадают.
Подготовка файлов с сертефикатом и ключем
cat pki-root-ca.json | jq -r .data.certificate > rootCA.pem
cat pki-root-ca.json | jq -r .data.issuing_ca > rootCA_issuing_ca.pem
cat pki-root-ca.json | jq -r .data.private_key > rootCA_private_key.pem
Просмотр в привычном формате
openssl x509 -in rootCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6c:90:eb:90:d4:5f:86:6d:d8:fb:f8:f8:a0:4d:07:f8:99:1e:62:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2
Validity
Not Before: Oct 2 14:56:32 2022 GMT
Not After : Sep 24 14:57:00 2052 GMT
Subject: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:6f:7d:85:e1:7d:71:ae:cd:e2:a6:85:2d:36:
85:c4:31:22:c8:bc:11:1c:c5:bd:10:ec:68:76:5d:
16:e1:fe:b6:00:de:4f:c4:23:48:d4:2a:97:84:64:
88:80:23:bd:63:3c:ba:40:b7:66:f6:6f:0f:b5:b7:
10:88:84:d8:6e:19:08:9c:a0:54:7b:ba:ee:c2:88:
99:61:fb:e9:43:22:61:bd:01:fe:f2:b0:33:56:3b:
51:ad:63:57:b9:00:cf:61:38:98:12:94:f2:71:b3:
39:9a:b0:d1:df:20:5e:39:3f:39:fd:bc:47:92:02:
7e:83:c5:7b:9a:98:2c:b4:0f:48:6c:33:59:0c:49:
a0:e5:e7:28:d0:78:30:9f:f2:c2:e1:13:3c:d7:9c:
7e:98:95:77:40:36:f6:98:d7:05:21:c9:35:fe:de:
7c:17:c4:f4:19:0f:8e:a2:d8:50:7c:ec:02:ee:d0:
be:d6:ab:e5:26:36:f7:e5:13:fe:43:70:91:68:9e:
46:dd:d1:53:0e:a4:db:d2:1f:31:63:80:7a:e7:07:
1e:3a:79:e4:38:7e:ee:c1:60:86:a4:7c:26:d3:f2:
87:c9:f2:3b:f6:c1:af:33:3e:d2:fa:62:5e:47:ca:
f1:2b:93:45:4b:30:47:98:7b:f8:cd:a2:19:e7:8a:
c4:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C
X509v3 Authority Key Identifier:
keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C
Signature Algorithm: sha256WithRSAEncryption
a6:1f:70:a7:f6:3e:0a:5c:ec:11:f7:a4:df:da:c5:bb:42:c3:
5a:14:f2:ae:29:e7:f2:a4:c9:3e:90:e5:75:71:4a:f9:0e:e8:
64:67:d5:5f:ae:a2:ea:1f:16:1b:ab:8a:e7:5b:c8:1d:1e:42:
8e:d7:e7:3d:be:02:e1:37:fa:3b:b3:df:0f:d8:19:41:49:53:
f7:c6:b7:ed:56:7a:60:6e:c5:fd:ea:b4:f7:43:e8:7b:72:1c:
b1:7a:4a:70:93:87:53:a5:66:92:0b:89:73:cd:17:ac:c7:31:
7a:b8:7d:14:55:c8:45:56:9a:40:74:39:b4:57:12:ad:33:e4:
5a:b4:34:75:54:f5:cc:b1:3f:ae:e1:f7:d5:7a:f8:dd:c8:2c:
db:24:10:69:83:a8:6c:02:b4:3c:ab:ef:17:ac:77:ad:fc:a8:
de:f1:39:34:28:fb:63:34:7a:a0:95:ea:73:9d:c3:a6:75:c4:
69:95:2b:dd:64:a8:46:04:6c:53:20:18:b0:42:ab:9d:c0:9f:
b1:60:fc:7e:38:ca:d8:b3:b4:9a:8a:22:0c:6d:ff:36:36:3d:
6b:97:04:f2:b4:9e:cb:10:e4:3f:3b:09:62:f5:54:34:08:21:
51:d8:2d:2f:31:3d:0d:40:3d:64:c5:e4:ce:77:bb:88:7a:b7:
d9:ab:33:f5
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIUbJDrkNRfhm3Y+/j4oE0H+JkeYgIwDQYJKoZIhvcNAQEL
BQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV
BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE
ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1
BgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv
cmsgdjIwIBcNMjIxMDAyMTQ1NjMyWhgPMjA1MjA5MjQxNDU3MDBaMIHAMRAwDgYD
VQQGEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEz
MTAaBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUw
EwYDVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTcwNQYDVQQDEy5Sb290
IENlcnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrIHYyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx299heF9ca7N4qaFLTaFxDEiyLwR
HMW9EOxodl0W4f62AN5PxCNI1CqXhGSIgCO9Yzy6QLdm9m8PtbcQiITYbhkInKBU
e7ruwoiZYfvpQyJhvQH+8rAzVjtRrWNXuQDPYTiYEpTycbM5mrDR3yBeOT85/bxH
kgJ+g8V7mpgstA9IbDNZDEmg5eco0Hgwn/LC4RM815x+mJV3QDb2mNcFIck1/t58
F8T0GQ+OothQfOwC7tC+1qvlJjb35RP+Q3CRaJ5G3dFTDqTb0h8xY4B65wceOnnk
OH7uwWCGpHwm0/KHyfI79sGvMz7S+mJeR8rxK5NFSzBHmHv4zaIZ54rEZwIDAQAB
o2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
AviFK3X44RxpKDAyIS2Gca+r7DwwHwYDVR0jBBgwFoAUAviFK3X44RxpKDAyIS2G
ca+r7DwwDQYJKoZIhvcNAQELBQADggEBAKYfcKf2Pgpc7BH3pN/axbtCw1oU8q4p
5/KkyT6Q5XVxSvkO6GRn1V+uouofFhuriudbyB0eQo7X5z2+AuE3+juz3w/YGUFJ
U/fGt+1WemBuxf3qtPdD6HtyHLF6SnCTh1OlZpILiXPNF6zHMXq4fRRVyEVWmkB0
ObRXEq0z5Fq0NHVU9cyxP67h99V6+N3ILNskEGmDqGwCtDyr7xesd638qN7xOTQo
+2M0eqCV6nOdw6Z1xGmVK91kqEYEbFMgGLBCq53An7Fg/H44ytiztJqKIgxt/zY2
PWuXBPK0nssQ5D87CWL1VDQIIVHYLS8xPQ1APWTF5M53u4h6t9mrM/U=
-----END CERTIFICATE-----
На что тут обратить внимание:
- Время жизни - 30 лет (должно хватить)
Validity
Not Before: Oct 2 14:56:32 2022 GMT
Not After : Sep 24 14:57:00 2052 GMT
- Информация об "Удостоверяющем центре" - верная
Subject: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2
- Назначение сертефиката - CA, это видно из полей
- X509v3 Key Usage: critical Certificate Sign, CRL Sign
- X509v3 Basic Constraints: critical CA:TRUE
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C
X509v3 Authority Key Identifier:
keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C
URL для корневого CA
Публикуем URL’ы для корневого центра сертификации
vault \
write \
k8s_pki_root_ca/config/urls \
issuing_certificates="http://vault.home:8200/v1/k8s_pki_root_ca/ca" \
crl_distribution_points="http://vault.home:8200/v1/k8s_pki_root_ca/crl"
Success! Data written to: k8s_pki_root_ca/config/urls