Vault PKI Intermediate ca etcd Kubernetes the hard way v2: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
Строка 7: | Строка 7: | ||
=Создание СА для работы кластера etcd= |
=Создание СА для работы кластера etcd= |
||
Эта страница - часть большой статьи про CA используемые в k8s: [[Vault_PKI_Kubernetes_the_hard_way_v2]] |
Эта страница - часть большой статьи про CA используемые в k8s: [[Vault_PKI_Kubernetes_the_hard_way_v2]] |
||
+ | |||
+ | |||
+ | ===Конфигурация Vault=== |
||
+ | * Стараюсь именовать path более-менее осмысленно ('''k8s_pki_intermediate_ca_for_service_etcd''') |
||
+ | * PKI (последняя строка) здесь - это тип секрета |
||
+ | <PRE> |
||
+ | vault \ |
||
+ | secrets \ |
||
+ | enable \ |
||
+ | -path=k8s_pki_intermediate_ca_for_service_etcd \ |
||
+ | -description="PKI Intermediate CA for ETCd service" \ |
||
+ | -max-lease-ttl="175200h" \ |
||
+ | pki |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | Success! Enabled the pki secrets engine at: k8s_pki_intermediate_ca_for_service_etcd/ |
||
+ | </PRE> |
||
+ | |||
+ | ===Генерация запроса на сертификат для промежуточного CA=== |
||
+ | <PRE> |
||
+ | vault write -format=json pki_intermediate_ca/intermediate/generate/internal \ |
||
+ | common_name="Intermediate CA" \ |
||
+ | country="Ukraine" \ |
||
+ | locality="Kharkov" \ |
||
+ | street_address="Lui Pastera st. 322 app. 131" \ |
||
+ | postal_code="101000" \ |
||
+ | organization="Horns and Hooves LLC" \ |
||
+ | ou="IT" \ |
||
+ | ttl="175200h" > pki_intermediate_ca.csr.json |
||
+ | </PRE> |
||
+ | ====Просмотр результатов==== |
||
+ | =====Сырой вывод===== |
||
+ | <PRE> |
||
+ | { |
||
+ | "request_id": "2e544789-ed06-1d6f-97cf-928c1fb54e77", |
||
+ | "lease_id": "", |
||
+ | "lease_duration": 0, |
||
+ | "renewable": false, |
||
+ | "data": { |
||
+ | "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC6DCCAdACAQAwgaIxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr\nb3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDzANBgNV\nBBETBjEwMTAwMDEdMBsGA1UEChMUSG9ybnMgYW5kIEhvb3ZlcyBMTEMxCzAJBgNV\nBAsTAklUMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDIJlmWRZBXLgMymWtlUCn9+3I1BS1W+Kyya2Tguc9R\nblhcyjzb1DshtkJAdohm3bwPnECCPyC3ARKOyN8xrepYOlphsn3+L3tpjOfvq7TS\nJXl194gjkURG7Ahz2FB/oPq0+d9YLYB/TTCh2H2r+3kXMX+ByJTcIHQ+03+6Er73\n+f0qOmYyy/U61lmjYGQTzlhLxzBWZ1xvLNJKaMGoZHgDyJ15bLyCcuSp0GYFnBht\nwvS3BL6wvuhon5NBTjLdnPRzYA8sbPq0SVppUQydaVY3vdBG3HsoWq2d9hQs6c56\nUyspaxpskKjpEdpSp///jfQ2cHAup4AeQBQaine+EfzFAgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAQEAmhSXiyvK9J1ZarDQOx5XpPRZ+IfjvYhwcxJ5eBgVcJCljcpr\nAPSvc6dt9di9vHoT/YQ43t47bV0hxVxKERNfOHCjX9VuruOdJ5WE3ptRx0oQsMdC\nbuIxQv/j4F4+kZmLDiUfTsOVTGuOKVqPJ3nyMibeE0JhQHu58hprAosDc2kzFf31\n3KOrQHhpITVgGGPqM4VI/w7ghIzxL/qvPCMX3Qshe5lkHY1jTNt6zHeofC0QRIdo\n2P0Iteb0rR59+B1Bq+jBoKTFmyv1AKifeSY6syTpbp/rKyzeY8pe/txx3JOfF29K\nwMjCLShOPDmOmPPUCbq/vRTUl9zMBsC7tKYRbA==\n-----END CERTIFICATE REQUEST-----" |
||
+ | }, |
||
+ | "warnings": null |
||
+ | } |
||
+ | </PRE> |
||
+ | =====Сохранить запрос в файл===== |
||
+ | <PRE> |
||
+ | cat pki_intermediate_ca.csr.json | jq -r .data.csr |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | -----BEGIN CERTIFICATE REQUEST----- |
||
+ | MIIC6DCCAdACAQAwgaIxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr |
||
+ | b3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDzANBgNV |
||
+ | BBETBjEwMTAwMDEdMBsGA1UEChMUSG9ybnMgYW5kIEhvb3ZlcyBMTEMxCzAJBgNV |
||
+ | BAsTAklUMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEB |
||
+ | AQUAA4IBDwAwggEKAoIBAQDIJlmWRZBXLgMymWtlUCn9+3I1BS1W+Kyya2Tguc9R |
||
+ | blhcyjzb1DshtkJAdohm3bwPnECCPyC3ARKOyN8xrepYOlphsn3+L3tpjOfvq7TS |
||
+ | JXl194gjkURG7Ahz2FB/oPq0+d9YLYB/TTCh2H2r+3kXMX+ByJTcIHQ+03+6Er73 |
||
+ | +f0qOmYyy/U61lmjYGQTzlhLxzBWZ1xvLNJKaMGoZHgDyJ15bLyCcuSp0GYFnBht |
||
+ | wvS3BL6wvuhon5NBTjLdnPRzYA8sbPq0SVppUQydaVY3vdBG3HsoWq2d9hQs6c56 |
||
+ | UyspaxpskKjpEdpSp///jfQ2cHAup4AeQBQaine+EfzFAgMBAAGgADANBgkqhkiG |
||
+ | 9w0BAQsFAAOCAQEAmhSXiyvK9J1ZarDQOx5XpPRZ+IfjvYhwcxJ5eBgVcJCljcpr |
||
+ | APSvc6dt9di9vHoT/YQ43t47bV0hxVxKERNfOHCjX9VuruOdJ5WE3ptRx0oQsMdC |
||
+ | buIxQv/j4F4+kZmLDiUfTsOVTGuOKVqPJ3nyMibeE0JhQHu58hprAosDc2kzFf31 |
||
+ | 3KOrQHhpITVgGGPqM4VI/w7ghIzxL/qvPCMX3Qshe5lkHY1jTNt6zHeofC0QRIdo |
||
+ | 2P0Iteb0rR59+B1Bq+jBoKTFmyv1AKifeSY6syTpbp/rKyzeY8pe/txx3JOfF29K |
||
+ | wMjCLShOPDmOmPPUCbq/vRTUl9zMBsC7tKYRbA== |
||
+ | -----END CERTIFICATE REQUEST----- |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | openssl req -in pki_intermediate_ca.csr -text -noout |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | Certificate Request: |
||
+ | Data: |
||
+ | Version: 1 (0x0) |
||
+ | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 101000, O = Horns and Hooves LLC, OU = IT, CN = Intermediate CA |
||
+ | Subject Public Key Info: |
||
+ | Public Key Algorithm: rsaEncryption |
||
+ | RSA Public-Key: (2048 bit) |
||
+ | Modulus: |
||
+ | 00:c8:26:59:96:45:90:57:2e:03:32:99:6b:65:50: |
||
+ | 29:fd:fb:72:35:05:2d:56:f8:ac:b2:6b:64:e0:b9: |
||
+ | cf:51:6e:58:5c:ca:3c:db:d4:3b:21:b6:42:40:76: |
||
+ | 88:66:dd:bc:0f:9c:40:82:3f:20:b7:01:12:8e:c8: |
||
+ | df:31:ad:ea:58:3a:5a:61:b2:7d:fe:2f:7b:69:8c: |
||
+ | e7:ef:ab:b4:d2:25:79:75:f7:88:23:91:44:46:ec: |
||
+ | 08:73:d8:50:7f:a0:fa:b4:f9:df:58:2d:80:7f:4d: |
||
+ | 30:a1:d8:7d:ab:fb:79:17:31:7f:81:c8:94:dc:20: |
||
+ | 74:3e:d3:7f:ba:12:be:f7:f9:fd:2a:3a:66:32:cb: |
||
+ | f5:3a:d6:59:a3:60:64:13:ce:58:4b:c7:30:56:67: |
||
+ | 5c:6f:2c:d2:4a:68:c1:a8:64:78:03:c8:9d:79:6c: |
||
+ | bc:82:72:e4:a9:d0:66:05:9c:18:6d:c2:f4:b7:04: |
||
+ | be:b0:be:e8:68:9f:93:41:4e:32:dd:9c:f4:73:60: |
||
+ | 0f:2c:6c:fa:b4:49:5a:69:51:0c:9d:69:56:37:bd: |
||
+ | d0:46:dc:7b:28:5a:ad:9d:f6:14:2c:e9:ce:7a:53: |
||
+ | 2b:29:6b:1a:6c:90:a8:e9:11:da:52:a7:ff:ff:8d: |
||
+ | f4:36:70:70:2e:a7:80:1e:40:14:1a:8a:77:be:11: |
||
+ | fc:c5 |
||
+ | Exponent: 65537 (0x10001) |
||
+ | Attributes: |
||
+ | a0:00 |
||
+ | Signature Algorithm: sha256WithRSAEncryption |
||
+ | 9a:14:97:8b:2b:ca:f4:9d:59:6a:b0:d0:3b:1e:57:a4:f4:59: |
||
+ | f8:87:e3:bd:88:70:73:12:79:78:18:15:70:90:a5:8d:ca:6b: |
||
+ | 00:f4:af:73:a7:6d:f5:d8:bd:bc:7a:13:fd:84:38:de:de:3b: |
||
+ | 6d:5d:21:c5:5c:4a:11:13:5f:38:70:a3:5f:d5:6e:ae:e3:9d: |
||
+ | 27:95:84:de:9b:51:c7:4a:10:b0:c7:42:6e:e2:31:42:ff:e3: |
||
+ | e0:5e:3e:91:99:8b:0e:25:1f:4e:c3:95:4c:6b:8e:29:5a:8f: |
||
+ | 27:79:f2:32:26:de:13:42:61:40:7b:b9:f2:1a:6b:02:8b:03: |
||
+ | 73:69:33:15:fd:f5:dc:a3:ab:40:78:69:21:35:60:18:63:ea: |
||
+ | 33:85:48:ff:0e:e0:84:8c:f1:2f:fa:af:3c:23:17:dd:0b:21: |
||
+ | 7b:99:64:1d:8d:63:4c:db:7a:cc:77:a8:7c:2d:10:44:87:68: |
||
+ | d8:fd:08:b5:e6:f4:ad:1e:7d:f8:1d:41:ab:e8:c1:a0:a4:c5: |
||
+ | 9b:2b:f5:00:a8:9f:79:26:3a:b3:24:e9:6e:9f:eb:2b:2c:de: |
||
+ | 63:ca:5e:fe:dc:71:dc:93:9f:17:6f:4a:c0:c8:c2:2d:28:4e: |
||
+ | 3c:39:8e:98:f3:d4:09:ba:bf:bd:14:d4:97:dc:cc:06:c0:bb: |
||
+ | b4:a6:11:6c |
||
+ | </PRE> |
||
+ | ===Генерация сертификата по запросу=== |
||
+ | * <B>@pki_intermediate_ca.csr</B> - имя файла |
||
+ | ====Создание сертефиката==== |
||
+ | <PRE> |
||
+ | vault write -format=json pki_root_ca/root/sign-intermediate csr=@pki_intermediate_ca.csr \ |
||
+ | country="Ukraine" \ |
||
+ | locality="Kharkov" \ |
||
+ | street_address="Lui Pastera st. 322 app. 131" \ |
||
+ | postal_code="61172" \ |
||
+ | organization="Home Network" \ |
||
+ | ou="IT" \ |
||
+ | format=pem_bundle \ |
||
+ | ttl="175200h" > intermediateCA.cert.pem.json |
||
+ | </PRE> |
||
+ | ===="Сырой" результат==== |
||
+ | <PRE> |
||
+ | { |
||
+ | "request_id": "79f389eb-be78-dff6-e1b5-71034dc5fd87", |
||
+ | "lease_id": "", |
||
+ | "lease_duration": 0, |
||
+ | "renewable": false, |
||
+ | "data": { |
||
+ | "certificate": "-----BEGIN CERTIFICATE-----\nMIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH\nVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg\nc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg\nTmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37\ncjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6\nWmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx\nf4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI\nnXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9\n0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC\nAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O\nBBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY\nZxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp\nJHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR\n3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d\n2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn\nvQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj\n0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH\n-----END CERTIFICATE-----", |
||
+ | "expiration": 2264664187, |
||
+ | "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEbzCCA1egAwIBAgIUBVXFmyCRZoaWQoS9ZprBcCiNv4IwDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswIBcNMjExMDEwMTI1ODAwWhgPMjA1MTEwMDMxMjU4MjdaMIG9MRAwDgYDVQQG\nEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEzMTAa\nBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUwEwYD\nVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTQwMgYDVQQDEytSb290IENl\ncnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtwCSvUyOLLPEE940N7Qgg5SK3+r2e5coIFK\njC2uYKwnbBLvpm9vYiN00MLVuIOAZqFQ6ljqGLMXSaZtg7nTC6UgwVxaVNZAVsHE\nYFm5C/3eDNQLA3qTzfAflCXuEQeGdPPoMeVmmU4DoInKPotlcznYaZHAE7puNSpg\n59nmW1PuvRJKuhrQcGDiZdxSnfjMDOz/29XjEqegkQSiQAHzHORak3Q3FjzhvyL+\nCqHd7s03K28pRxS1G2ZXmLV+ArVLVO606ZP6ye1OKMzcq2hC/ffA7okVLkZ2ZPis\nvoYdVEpKKdUtcVk0+PAL5fwcFBHYCIt5CqePa2Ews2makBLDKQIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU2zpzegMl\nLhdIRlhnGa2GLgQ96+wwHwYDVR0jBBgwFoAU2zpzegMlLhdIRlhnGa2GLgQ96+ww\nDQYJKoZIhvcNAQELBQADggEBAHFvVtRquCSd/BZHjBxZrMKSkDZf73NDx9cuILRL\n6T9XtKa0gqIovfKYB6FJ38cdYFpW/IVk59iXdfY2ZhoEq1eKQ9g8qpdyXj2FWdnT\ntivVqtZJrTUELCJSnGFqay/dunjMt6yc+m0eV2KPuJT5mDDVwQYkwBdYRv1uVZJv\nmBHYzShvksuQXV6Rs6q7/dD1MprtpIBafuZrXZgZcQSG3hjiODcP4mEK04HABh/n\n8KDFj/eQj8l01WgdM7SlRfz3jDWmOh2nahGlG+F72Cwqh1wTUNHHEJKMupiTIs2B\nsjCYRMVUw1A6MBY5kS8KrTizRMIZCLKjSQoVY4F8Y7lMjnw=\n-----END CERTIFICATE-----", |
||
+ | "serial_number": "40:b2:aa:32:ee:ea:2f:84:75:bb:8f:ec:2e:98:56:70:1c:66:f6:0d" |
||
+ | }, |
||
+ | "warnings": null |
||
+ | } |
||
+ | </PRE> |
||
+ | ====PEM Файл==== |
||
+ | <PRE> |
||
+ | cat intermediateCA.cert.pem.json | jq -r .data.certificate > intermediateCA.cert.pem |
||
+ | </PRE> |
||
+ | <PRE> |
||
+ | -----BEGIN CERTIFICATE----- |
||
+ | MIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL |
||
+ | BQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV |
||
+ | BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE |
||
+ | ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy |
||
+ | BgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv |
||
+ | cmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH |
||
+ | VWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg |
||
+ | c3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg |
||
+ | TmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC |
||
+ | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37 |
||
+ | cjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6 |
||
+ | WmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx |
||
+ | f4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI |
||
+ | nXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9 |
||
+ | 0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC |
||
+ | AwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O |
||
+ | BBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY |
||
+ | Zxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp |
||
+ | JHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR |
||
+ | 3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d |
||
+ | 2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn |
||
+ | vQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj |
||
+ | 0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH |
||
+ | -----END CERTIFICATE----- |
||
+ | </PRE> |
||
+ | |||
+ | ====Детали сертефиката==== |
||
+ | <PRE> |
||
+ | openssl x509 -in intermediateCA.cert.pem -noout -text |
||
+ | Certificate: |
||
+ | Data: |
||
+ | Version: 3 (0x2) |
||
+ | Serial Number: |
||
+ | 40:b2:aa:32:ee:ea:2f:84:75:bb:8f:ec:2e:98:56:70:1c:66:f6:0d |
||
+ | Signature Algorithm: sha256WithRSAEncryption |
||
+ | Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network |
||
+ | Validity |
||
+ | Not Before: Oct 11 09:22:37 2021 GMT |
||
+ | Not After : Oct 6 09:23:07 2041 GMT |
||
+ | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = Intermediate CA |
||
+ | Subject Public Key Info: |
||
+ | Public Key Algorithm: rsaEncryption |
||
+ | RSA Public-Key: (2048 bit) |
||
+ | Modulus: |
||
+ | 00:c8:26:59:96:45:90:57:2e:03:32:99:6b:65:50: |
||
+ | 29:fd:fb:72:35:05:2d:56:f8:ac:b2:6b:64:e0:b9: |
||
+ | cf:51:6e:58:5c:ca:3c:db:d4:3b:21:b6:42:40:76: |
||
+ | 88:66:dd:bc:0f:9c:40:82:3f:20:b7:01:12:8e:c8: |
||
+ | df:31:ad:ea:58:3a:5a:61:b2:7d:fe:2f:7b:69:8c: |
||
+ | e7:ef:ab:b4:d2:25:79:75:f7:88:23:91:44:46:ec: |
||
+ | 08:73:d8:50:7f:a0:fa:b4:f9:df:58:2d:80:7f:4d: |
||
+ | 30:a1:d8:7d:ab:fb:79:17:31:7f:81:c8:94:dc:20: |
||
+ | 74:3e:d3:7f:ba:12:be:f7:f9:fd:2a:3a:66:32:cb: |
||
+ | f5:3a:d6:59:a3:60:64:13:ce:58:4b:c7:30:56:67: |
||
+ | 5c:6f:2c:d2:4a:68:c1:a8:64:78:03:c8:9d:79:6c: |
||
+ | bc:82:72:e4:a9:d0:66:05:9c:18:6d:c2:f4:b7:04: |
||
+ | be:b0:be:e8:68:9f:93:41:4e:32:dd:9c:f4:73:60: |
||
+ | 0f:2c:6c:fa:b4:49:5a:69:51:0c:9d:69:56:37:bd: |
||
+ | d0:46:dc:7b:28:5a:ad:9d:f6:14:2c:e9:ce:7a:53: |
||
+ | 2b:29:6b:1a:6c:90:a8:e9:11:da:52:a7:ff:ff:8d: |
||
+ | f4:36:70:70:2e:a7:80:1e:40:14:1a:8a:77:be:11: |
||
+ | fc:c5 |
||
+ | Exponent: 65537 (0x10001) |
||
+ | X509v3 extensions: |
||
+ | X509v3 Key Usage: critical |
||
+ | Certificate Sign, CRL Sign |
||
+ | X509v3 Basic Constraints: critical |
||
+ | CA:TRUE |
||
+ | X509v3 Subject Key Identifier: |
||
+ | 57:CC:17:CF:CF:21:94:71:42:B8:AB:06:7C:FD:FC:45:6D:F9:6A:4F |
||
+ | X509v3 Authority Key Identifier: |
||
+ | keyid:DB:3A:73:7A:03:25:2E:17:48:46:58:67:19:AD:86:2E:04:3D:EB:EC |
||
+ | |||
+ | Signature Algorithm: sha256WithRSAEncryption |
||
+ | 88:e6:3d:6f:b3:11:a6:6f:6c:e1:77:5a:7b:ac:b2:62:6e:7b: |
||
+ | 69:24:7c:53:83:4a:86:f6:90:ca:cc:ed:de:ad:40:e2:6b:9d: |
||
+ | e2:7d:34:5c:85:18:cd:aa:07:1d:4c:93:bc:f4:c6:c2:56:93: |
||
+ | 1c:2b:cf:3e:13:4d:57:dc:ab:46:64:c1:51:dd:5e:08:d4:69: |
||
+ | a9:b5:d8:38:96:e8:9c:63:3a:ce:f7:64:b8:d0:28:91:1e:bf: |
||
+ | 54:17:3f:02:7e:d8:3d:27:11:99:02:4d:0c:37:74:9c:a6:3b: |
||
+ | 71:3c:cd:5f:66:ce:1d:d8:83:6d:42:dc:a3:b5:9f:c8:f3:a8: |
||
+ | ad:a2:03:ec:28:7a:3b:86:b2:1d:a3:d2:06:98:56:bb:38:7b: |
||
+ | ae:97:fb:98:97:76:7d:70:d2:ce:00:41:dc:04:56:ab:43:d5: |
||
+ | 67:bd:09:8f:a5:d6:aa:de:de:00:af:01:47:46:b9:f9:64:c8: |
||
+ | 0c:f4:76:ef:45:b8:2b:de:7b:39:53:8b:97:f5:37:52:79:f1: |
||
+ | da:b2:1a:00:b9:51:af:20:5a:ae:32:95:63:d1:a8:d4:01:e7: |
||
+ | 75:ca:e5:5d:ed:2d:94:48:4d:6c:f1:1c:8d:ee:3d:ed:d0:3e: |
||
+ | c5:1b:ba:51:10:24:c1:9d:96:0a:a8:17:3b:38:8d:98:76:2c: |
||
+ | 1d:3e:f4:07 |
||
+ | </PRE> |
||
+ | |||
+ | |||
+ | ====Валидация с помошью корневого CA==== |
||
+ | <PRE> |
||
+ | openssl verify -verbose -CAfile rootCA.pem intermediateCA.cert.pem |
||
+ | intermediateCA.cert.pem: OK |
||
+ | </PRE> |
||
+ | |||
+ | |||
+ | ===Конфигурация Vault для использования промежуточного CA=== |
||
+ | ====Загрузка промежуточного сертефиката==== |
||
+ | <PRE> |
||
+ | vault write pki_intermediate_ca/intermediate/set-signed \ |
||
+ | certificate=@intermediateCA.cert.pem |
||
+ | </PRE> |
||
+ | |||
+ | ====Configure URLs==== |
||
+ | <PRE> |
||
+ | vault write pki_intermediate_ca/config/urls \ |
||
+ | issuing_certificates="http://vault.home:8200/v1/pki_intermediate_ca/ca" \ |
||
+ | crl_distribution_points="http://vault.home:8200/v1/pki_intermediate_ca/crl" |
||
+ | </PRE> |
Версия 18:49, 2 октября 2022
Создание СА для работы кластера etcd
Эта страница - часть большой статьи про CA используемые в k8s: Vault_PKI_Kubernetes_the_hard_way_v2
Конфигурация Vault
- Стараюсь именовать path более-менее осмысленно (k8s_pki_intermediate_ca_for_service_etcd)
- PKI (последняя строка) здесь - это тип секрета
vault \ secrets \ enable \ -path=k8s_pki_intermediate_ca_for_service_etcd \ -description="PKI Intermediate CA for ETCd service" \ -max-lease-ttl="175200h" \ pki
Success! Enabled the pki secrets engine at: k8s_pki_intermediate_ca_for_service_etcd/
Генерация запроса на сертификат для промежуточного CA
vault write -format=json pki_intermediate_ca/intermediate/generate/internal \ common_name="Intermediate CA" \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st. 322 app. 131" \ postal_code="101000" \ organization="Horns and Hooves LLC" \ ou="IT" \ ttl="175200h" > pki_intermediate_ca.csr.json
Просмотр результатов
Сырой вывод
{ "request_id": "2e544789-ed06-1d6f-97cf-928c1fb54e77", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC6DCCAdACAQAwgaIxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr\nb3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDzANBgNV\nBBETBjEwMTAwMDEdMBsGA1UEChMUSG9ybnMgYW5kIEhvb3ZlcyBMTEMxCzAJBgNV\nBAsTAklUMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDIJlmWRZBXLgMymWtlUCn9+3I1BS1W+Kyya2Tguc9R\nblhcyjzb1DshtkJAdohm3bwPnECCPyC3ARKOyN8xrepYOlphsn3+L3tpjOfvq7TS\nJXl194gjkURG7Ahz2FB/oPq0+d9YLYB/TTCh2H2r+3kXMX+ByJTcIHQ+03+6Er73\n+f0qOmYyy/U61lmjYGQTzlhLxzBWZ1xvLNJKaMGoZHgDyJ15bLyCcuSp0GYFnBht\nwvS3BL6wvuhon5NBTjLdnPRzYA8sbPq0SVppUQydaVY3vdBG3HsoWq2d9hQs6c56\nUyspaxpskKjpEdpSp///jfQ2cHAup4AeQBQaine+EfzFAgMBAAGgADANBgkqhkiG\n9w0BAQsFAAOCAQEAmhSXiyvK9J1ZarDQOx5XpPRZ+IfjvYhwcxJ5eBgVcJCljcpr\nAPSvc6dt9di9vHoT/YQ43t47bV0hxVxKERNfOHCjX9VuruOdJ5WE3ptRx0oQsMdC\nbuIxQv/j4F4+kZmLDiUfTsOVTGuOKVqPJ3nyMibeE0JhQHu58hprAosDc2kzFf31\n3KOrQHhpITVgGGPqM4VI/w7ghIzxL/qvPCMX3Qshe5lkHY1jTNt6zHeofC0QRIdo\n2P0Iteb0rR59+B1Bq+jBoKTFmyv1AKifeSY6syTpbp/rKyzeY8pe/txx3JOfF29K\nwMjCLShOPDmOmPPUCbq/vRTUl9zMBsC7tKYRbA==\n-----END CERTIFICATE REQUEST-----" }, "warnings": null }
Сохранить запрос в файл
cat pki_intermediate_ca.csr.json | jq -r .data.csr
-----BEGIN CERTIFICATE REQUEST----- MIIC6DCCAdACAQAwgaIxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr b3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDzANBgNV BBETBjEwMTAwMDEdMBsGA1UEChMUSG9ybnMgYW5kIEhvb3ZlcyBMTEMxCzAJBgNV BAsTAklUMRgwFgYDVQQDEw9JbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDIJlmWRZBXLgMymWtlUCn9+3I1BS1W+Kyya2Tguc9R blhcyjzb1DshtkJAdohm3bwPnECCPyC3ARKOyN8xrepYOlphsn3+L3tpjOfvq7TS JXl194gjkURG7Ahz2FB/oPq0+d9YLYB/TTCh2H2r+3kXMX+ByJTcIHQ+03+6Er73 +f0qOmYyy/U61lmjYGQTzlhLxzBWZ1xvLNJKaMGoZHgDyJ15bLyCcuSp0GYFnBht wvS3BL6wvuhon5NBTjLdnPRzYA8sbPq0SVppUQydaVY3vdBG3HsoWq2d9hQs6c56 UyspaxpskKjpEdpSp///jfQ2cHAup4AeQBQaine+EfzFAgMBAAGgADANBgkqhkiG 9w0BAQsFAAOCAQEAmhSXiyvK9J1ZarDQOx5XpPRZ+IfjvYhwcxJ5eBgVcJCljcpr APSvc6dt9di9vHoT/YQ43t47bV0hxVxKERNfOHCjX9VuruOdJ5WE3ptRx0oQsMdC buIxQv/j4F4+kZmLDiUfTsOVTGuOKVqPJ3nyMibeE0JhQHu58hprAosDc2kzFf31 3KOrQHhpITVgGGPqM4VI/w7ghIzxL/qvPCMX3Qshe5lkHY1jTNt6zHeofC0QRIdo 2P0Iteb0rR59+B1Bq+jBoKTFmyv1AKifeSY6syTpbp/rKyzeY8pe/txx3JOfF29K wMjCLShOPDmOmPPUCbq/vRTUl9zMBsC7tKYRbA== -----END CERTIFICATE REQUEST-----
openssl req -in pki_intermediate_ca.csr -text -noout
Certificate Request: Data: Version: 1 (0x0) Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 101000, O = Horns and Hooves LLC, OU = IT, CN = Intermediate CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c8:26:59:96:45:90:57:2e:03:32:99:6b:65:50: 29:fd:fb:72:35:05:2d:56:f8:ac:b2:6b:64:e0:b9: cf:51:6e:58:5c:ca:3c:db:d4:3b:21:b6:42:40:76: 88:66:dd:bc:0f:9c:40:82:3f:20:b7:01:12:8e:c8: df:31:ad:ea:58:3a:5a:61:b2:7d:fe:2f:7b:69:8c: e7:ef:ab:b4:d2:25:79:75:f7:88:23:91:44:46:ec: 08:73:d8:50:7f:a0:fa:b4:f9:df:58:2d:80:7f:4d: 30:a1:d8:7d:ab:fb:79:17:31:7f:81:c8:94:dc:20: 74:3e:d3:7f:ba:12:be:f7:f9:fd:2a:3a:66:32:cb: f5:3a:d6:59:a3:60:64:13:ce:58:4b:c7:30:56:67: 5c:6f:2c:d2:4a:68:c1:a8:64:78:03:c8:9d:79:6c: bc:82:72:e4:a9:d0:66:05:9c:18:6d:c2:f4:b7:04: be:b0:be:e8:68:9f:93:41:4e:32:dd:9c:f4:73:60: 0f:2c:6c:fa:b4:49:5a:69:51:0c:9d:69:56:37:bd: d0:46:dc:7b:28:5a:ad:9d:f6:14:2c:e9:ce:7a:53: 2b:29:6b:1a:6c:90:a8:e9:11:da:52:a7:ff:ff:8d: f4:36:70:70:2e:a7:80:1e:40:14:1a:8a:77:be:11: fc:c5 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 9a:14:97:8b:2b:ca:f4:9d:59:6a:b0:d0:3b:1e:57:a4:f4:59: f8:87:e3:bd:88:70:73:12:79:78:18:15:70:90:a5:8d:ca:6b: 00:f4:af:73:a7:6d:f5:d8:bd:bc:7a:13:fd:84:38:de:de:3b: 6d:5d:21:c5:5c:4a:11:13:5f:38:70:a3:5f:d5:6e:ae:e3:9d: 27:95:84:de:9b:51:c7:4a:10:b0:c7:42:6e:e2:31:42:ff:e3: e0:5e:3e:91:99:8b:0e:25:1f:4e:c3:95:4c:6b:8e:29:5a:8f: 27:79:f2:32:26:de:13:42:61:40:7b:b9:f2:1a:6b:02:8b:03: 73:69:33:15:fd:f5:dc:a3:ab:40:78:69:21:35:60:18:63:ea: 33:85:48:ff:0e:e0:84:8c:f1:2f:fa:af:3c:23:17:dd:0b:21: 7b:99:64:1d:8d:63:4c:db:7a:cc:77:a8:7c:2d:10:44:87:68: d8:fd:08:b5:e6:f4:ad:1e:7d:f8:1d:41:ab:e8:c1:a0:a4:c5: 9b:2b:f5:00:a8:9f:79:26:3a:b3:24:e9:6e:9f:eb:2b:2c:de: 63:ca:5e:fe:dc:71:dc:93:9f:17:6f:4a:c0:c8:c2:2d:28:4e: 3c:39:8e:98:f3:d4:09:ba:bf:bd:14:d4:97:dc:cc:06:c0:bb: b4:a6:11:6c
Генерация сертификата по запросу
- @pki_intermediate_ca.csr - имя файла
Создание сертефиката
vault write -format=json pki_root_ca/root/sign-intermediate csr=@pki_intermediate_ca.csr \ country="Ukraine" \ locality="Kharkov" \ street_address="Lui Pastera st. 322 app. 131" \ postal_code="61172" \ organization="Home Network" \ ou="IT" \ format=pem_bundle \ ttl="175200h" > intermediateCA.cert.pem.json
"Сырой" результат
{ "request_id": "79f389eb-be78-dff6-e1b5-71034dc5fd87", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "certificate": "-----BEGIN CERTIFICATE-----\nMIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH\nVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg\nc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg\nTmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37\ncjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6\nWmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx\nf4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI\nnXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9\n0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC\nAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O\nBBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY\nZxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp\nJHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR\n3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d\n2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn\nvQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj\n0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH\n-----END CERTIFICATE-----", "expiration": 2264664187, "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEbzCCA1egAwIBAgIUBVXFmyCRZoaWQoS9ZprBcCiNv4IwDQYJKoZIhvcNAQEL\nBQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy\nBgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmswIBcNMjExMDEwMTI1ODAwWhgPMjA1MTEwMDMxMjU4MjdaMIG9MRAwDgYDVQQG\nEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEzMTAa\nBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUwEwYD\nVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTQwMgYDVQQDEytSb290IENl\ncnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvtwCSvUyOLLPEE940N7Qgg5SK3+r2e5coIFK\njC2uYKwnbBLvpm9vYiN00MLVuIOAZqFQ6ljqGLMXSaZtg7nTC6UgwVxaVNZAVsHE\nYFm5C/3eDNQLA3qTzfAflCXuEQeGdPPoMeVmmU4DoInKPotlcznYaZHAE7puNSpg\n59nmW1PuvRJKuhrQcGDiZdxSnfjMDOz/29XjEqegkQSiQAHzHORak3Q3FjzhvyL+\nCqHd7s03K28pRxS1G2ZXmLV+ArVLVO606ZP6ye1OKMzcq2hC/ffA7okVLkZ2ZPis\nvoYdVEpKKdUtcVk0+PAL5fwcFBHYCIt5CqePa2Ews2makBLDKQIDAQABo2MwYTAO\nBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU2zpzegMl\nLhdIRlhnGa2GLgQ96+wwHwYDVR0jBBgwFoAU2zpzegMlLhdIRlhnGa2GLgQ96+ww\nDQYJKoZIhvcNAQELBQADggEBAHFvVtRquCSd/BZHjBxZrMKSkDZf73NDx9cuILRL\n6T9XtKa0gqIovfKYB6FJ38cdYFpW/IVk59iXdfY2ZhoEq1eKQ9g8qpdyXj2FWdnT\ntivVqtZJrTUELCJSnGFqay/dunjMt6yc+m0eV2KPuJT5mDDVwQYkwBdYRv1uVZJv\nmBHYzShvksuQXV6Rs6q7/dD1MprtpIBafuZrXZgZcQSG3hjiODcP4mEK04HABh/n\n8KDFj/eQj8l01WgdM7SlRfz3jDWmOh2nahGlG+F72Cwqh1wTUNHHEJKMupiTIs2B\nsjCYRMVUw1A6MBY5kS8KrTizRMIZCLKjSQoVY4F8Y7lMjnw=\n-----END CERTIFICATE-----", "serial_number": "40:b2:aa:32:ee:ea:2f:84:75:bb:8f:ec:2e:98:56:70:1c:66:f6:0d" }, "warnings": null }
PEM Файл
cat intermediateCA.cert.pem.json | jq -r .data.certificate > intermediateCA.cert.pem
-----BEGIN CERTIFICATE----- MIIESTCCAzGgAwIBAgIUQLKqMu7qL4R1u4/sLphWcBxm9g0wDQYJKoZIhvcNAQEL BQAwgb0xEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNDAy BgNVBAMTK1Jvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv cmswHhcNMjExMDExMDkyMjM3WhcNNDExMDA2MDkyMzA3WjCBmTEQMA4GA1UEBhMH VWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3RlcmEg c3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxFTATBgNVBAoTDEhvbWUg TmV0d29yazELMAkGA1UECxMCSVQxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgmWZZFkFcuAzKZa2VQKf37 cjUFLVb4rLJrZOC5z1FuWFzKPNvUOyG2QkB2iGbdvA+cQII/ILcBEo7I3zGt6lg6 WmGyff4ve2mM5++rtNIleXX3iCORREbsCHPYUH+g+rT531gtgH9NMKHYfav7eRcx f4HIlNwgdD7Tf7oSvvf5/So6ZjLL9TrWWaNgZBPOWEvHMFZnXG8s0kpowahkeAPI nXlsvIJy5KnQZgWcGG3C9LcEvrC+6Gifk0FOMt2c9HNgDyxs+rRJWmlRDJ1pVje9 0EbceyharZ32FCzpznpTKylrGmyQqOkR2lKn//+N9DZwcC6ngB5AFBqKd74R/MUC AwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O BBYEFFfMF8/PIZRxQrirBnz9/EVt+WpPMB8GA1UdIwQYMBaAFNs6c3oDJS4XSEZY Zxmthi4EPevsMA0GCSqGSIb3DQEBCwUAA4IBAQCI5j1vsxGmb2zhd1p7rLJibntp JHxTg0qG9pDKzO3erUDia53ifTRchRjNqgcdTJO89MbCVpMcK88+E01X3KtGZMFR 3V4I1Gmptdg4luicYzrO92S40CiRHr9UFz8Cftg9JxGZAk0MN3ScpjtxPM1fZs4d 2INtQtyjtZ/I86itogPsKHo7hrIdo9IGmFa7OHuul/uYl3Z9cNLOAEHcBFarQ9Vn vQmPpdaq3t4ArwFHRrn5ZMgM9HbvRbgr3ns5U4uX9TdSefHashoAuVGvIFquMpVj 0ajUAed1yuVd7S2USE1s8RyN7j3t0D7FG7pRECTBnZYKqBc7OI2YdiwdPvQH -----END CERTIFICATE-----
Детали сертефиката
openssl x509 -in intermediateCA.cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 40:b2:aa:32:ee:ea:2f:84:75:bb:8f:ec:2e:98:56:70:1c:66:f6:0d Signature Algorithm: sha256WithRSAEncryption Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network Validity Not Before: Oct 11 09:22:37 2021 GMT Not After : Oct 6 09:23:07 2041 GMT Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = Intermediate CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c8:26:59:96:45:90:57:2e:03:32:99:6b:65:50: 29:fd:fb:72:35:05:2d:56:f8:ac:b2:6b:64:e0:b9: cf:51:6e:58:5c:ca:3c:db:d4:3b:21:b6:42:40:76: 88:66:dd:bc:0f:9c:40:82:3f:20:b7:01:12:8e:c8: df:31:ad:ea:58:3a:5a:61:b2:7d:fe:2f:7b:69:8c: e7:ef:ab:b4:d2:25:79:75:f7:88:23:91:44:46:ec: 08:73:d8:50:7f:a0:fa:b4:f9:df:58:2d:80:7f:4d: 30:a1:d8:7d:ab:fb:79:17:31:7f:81:c8:94:dc:20: 74:3e:d3:7f:ba:12:be:f7:f9:fd:2a:3a:66:32:cb: f5:3a:d6:59:a3:60:64:13:ce:58:4b:c7:30:56:67: 5c:6f:2c:d2:4a:68:c1:a8:64:78:03:c8:9d:79:6c: bc:82:72:e4:a9:d0:66:05:9c:18:6d:c2:f4:b7:04: be:b0:be:e8:68:9f:93:41:4e:32:dd:9c:f4:73:60: 0f:2c:6c:fa:b4:49:5a:69:51:0c:9d:69:56:37:bd: d0:46:dc:7b:28:5a:ad:9d:f6:14:2c:e9:ce:7a:53: 2b:29:6b:1a:6c:90:a8:e9:11:da:52:a7:ff:ff:8d: f4:36:70:70:2e:a7:80:1e:40:14:1a:8a:77:be:11: fc:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 57:CC:17:CF:CF:21:94:71:42:B8:AB:06:7C:FD:FC:45:6D:F9:6A:4F X509v3 Authority Key Identifier: keyid:DB:3A:73:7A:03:25:2E:17:48:46:58:67:19:AD:86:2E:04:3D:EB:EC Signature Algorithm: sha256WithRSAEncryption 88:e6:3d:6f:b3:11:a6:6f:6c:e1:77:5a:7b:ac:b2:62:6e:7b: 69:24:7c:53:83:4a:86:f6:90:ca:cc:ed:de:ad:40:e2:6b:9d: e2:7d:34:5c:85:18:cd:aa:07:1d:4c:93:bc:f4:c6:c2:56:93: 1c:2b:cf:3e:13:4d:57:dc:ab:46:64:c1:51:dd:5e:08:d4:69: a9:b5:d8:38:96:e8:9c:63:3a:ce:f7:64:b8:d0:28:91:1e:bf: 54:17:3f:02:7e:d8:3d:27:11:99:02:4d:0c:37:74:9c:a6:3b: 71:3c:cd:5f:66:ce:1d:d8:83:6d:42:dc:a3:b5:9f:c8:f3:a8: ad:a2:03:ec:28:7a:3b:86:b2:1d:a3:d2:06:98:56:bb:38:7b: ae:97:fb:98:97:76:7d:70:d2:ce:00:41:dc:04:56:ab:43:d5: 67:bd:09:8f:a5:d6:aa:de:de:00:af:01:47:46:b9:f9:64:c8: 0c:f4:76:ef:45:b8:2b:de:7b:39:53:8b:97:f5:37:52:79:f1: da:b2:1a:00:b9:51:af:20:5a:ae:32:95:63:d1:a8:d4:01:e7: 75:ca:e5:5d:ed:2d:94:48:4d:6c:f1:1c:8d:ee:3d:ed:d0:3e: c5:1b:ba:51:10:24:c1:9d:96:0a:a8:17:3b:38:8d:98:76:2c: 1d:3e:f4:07
Валидация с помошью корневого CA
openssl verify -verbose -CAfile rootCA.pem intermediateCA.cert.pem intermediateCA.cert.pem: OK
Конфигурация Vault для использования промежуточного CA
Загрузка промежуточного сертефиката
vault write pki_intermediate_ca/intermediate/set-signed \ certificate=@intermediateCA.cert.pem
Configure URLs
vault write pki_intermediate_ca/config/urls \ issuing_certificates="http://vault.home:8200/v1/pki_intermediate_ca/ca" \ crl_distribution_points="http://vault.home:8200/v1/pki_intermediate_ca/crl"