Vault PKI Intermediate ca etcd Roles and permissions for real cluster Kubernetes the hard way v2: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
| Строка 317: | Строка 317: | ||
======== |
======== |
||
</PRE> |
</PRE> |
||
| − | |||
| − | ===Проверка полученного сертефиката=== |
||
| − | Результат в файле: |
||
| − | <PRE> |
||
| − | cat vault.example.home.crt |
||
| − | </PRE> |
||
| − | Сокращенный вывод: |
||
| − | <PRE> |
||
| − | { |
||
| − | "request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e", |
||
| − | "lease_id": "", |
||
| − | "lease_duration": 0, |
||
| − | "renewable": false, |
||
| − | "data": { |
||
| − | "ca_chain": [ |
||
| − | "-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----" |
||
| − | ], |
||
| − | "certificate": "-----BEGIN CERTIFICATE-----m35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----", |
||
| − | "expiration": 1822736540, |
||
| − | "issuing_ca": "-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----", |
||
| − | "private_key": "-----BEGIN RSA PRIVATE KEY-----vNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----", |
||
| − | "private_key_type": "rsa", |
||
| − | "serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1" |
||
| − | }, |
||
| − | "warnings": null |
||
| − | } |
||
| − | </PRE> |
||
| − | {{#spoiler:show=Полный вывод результатов| |
||
| − | <PRE> |
||
| − | { |
||
| − | "request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e", |
||
| − | "lease_id": "", |
||
| − | "lease_duration": 0, |
||
| − | "renewable": false, |
||
| − | "data": { |
||
| − | "ca_chain": [ |
||
| − | "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----" |
||
| − | ], |
||
| − | "certificate": "-----BEGIN CERTIFICATE-----\nMIIFOTCCBCGgAwIBAgIUKKwgMv5GsnhhEfBG2ufSzwL8T/EwDQYJKoZIhvcNAQEL\nBQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxJTAjBgNV\nBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNVBBETBTYxMTcy\nMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJBgNVBAsTAklU\nMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2UgRVRDZDAeFw0y\nMjEwMDYxMTQxNTRaFw0yNzEwMDUxMTQyMjBaMIGbMRAwDgYDVQQGEwdVa3JhaW5l\nMRAwDgYDVQQHEwdLaGFya292MSQwIgYDVQQJExtMdWkgUGFzdGVyYSBzdCAzMjIg\nYXBwLiAzMTExDjAMBgNVBBETBTYxMTcyMRUwEwYDVQQKEwxIb21lIE5ldHdvcmsx\nCzAJBgNVBAsTAklUMRswGQYDVQQDExJ2YXVsdC5leGFtcGxlLmhvbWUwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtTjglMxGwqqsaF3+O38oyzNXVN1Br\nv2UnsUDPr9BIDqI/dZgo+d3p5U6my7KfVkaMi+Q3GS9ml3DujB0DtGYanhxzX+Ew\nZPwz26nvwjajSoCZb1X7QonxANbXJhaJGS5MwvDUoGvTlzZgoB4GdI/KUzJ2Gxvy\n7xkG0wqIlyyMfRI/NBSfjKy0le8gflXgs7i8UlEKcaCqDtktoQbI8S95uuRMVONy\n/BpDnPY1kt7B5qWiZQ5wzzTLT5+eDoDQxqLBDgGCezaz9HNeikPexUtzrEXSc4yr\nLmCssE6EF7ieeDYv9Geyagx42qilJFW3TuWAErnSaClehdN6Pgbo5+YnAgMBAAGj\nggFWMIIBUjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD\nVR0OBBYEFExMIsFEaCXQa6p/q1yOFvW3vN+vMB8GA1UdIwQYMBaAFGBBMXlYkKlj\nYsIm/Y8CtgcaHVxQMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov\nL3ZhdWx0LmhvbWU6ODIwMC92MS9rOHNfcGtpX2ludGVybWVkaWF0ZV9jYV9mb3Jf\nc2VydmljZV9ldGNkL2NhMC8GA1UdEQQoMCaCEHBraS5leGFtcGxlLmhvbWWCEnZh\ndWx0LmV4YW1wbGUuaG9tZTBXBgNVHR8EUDBOMEygSqBIhkZodHRwOi8vdmF1bHQu\naG9tZTo4MjAwL3YxL2s4c19wa2lfaW50ZXJtZWRpYXRlX2NhX2Zvcl9zZXJ2aWNl\nX2V0Y2QvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB67vlaiNztDbH3JpfZ+pjns0Ph\nb/rkPE3f/CY2+F5zaDlq15lTGRYG7CV8s3/GH/sSYegwfPqvEEgaM7fz+PTEKL85\nQkFgZht6LVpPd6MZ8aptwaRhlW3dSIxtjtYUVfhhTV1y0YcuntTDyoQUv7Ekoq+s\nvZLlwFcZ1Sg2vP/aZ+gYzcZvId3ssXWIYMPV+4vPkeBFMIn8mfy0MmwvJ2HcEKWL\nRD9Q4ECcbdbBi8ZNeeGcbkYWe90+90ZfUaD1pA7XsOg70S65Rf1gtrqNZT2twfgu\nh6ZhLtDoLvXRO75DKgzT1x28x07PYDHm35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----", |
||
| − | "expiration": 1822736540, |
||
| − | "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----", |
||
| − | "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArU44JTMRsKqrGhd/jt/KMszV1TdQa79lJ7FAz6/QSA6iP3WY\nKPnd6eVOpsuyn1ZGjIvkNxkvZpdw7owdA7RmGp4cc1/hMGT8M9up78I2o0qAmW9V\n+0KJ8QDW1yYWiRkuTMLw1KBr05c2YKAeBnSPylMydhsb8u8ZBtMKiJcsjH0SPzQU\nn4ystJXvIH5V4LO4vFJRCnGgqg7ZLaEGyPEvebrkTFTjcvwaQ5z2NZLewealomUO\ncM80y0+fng6A0MaiwQ4Bgns2s/RzXopD3sVLc6xF0nOMqy5grLBOhBe4nng2L/Rn\nsmoMeNqopSRVt07lgBK50mgpXoXTej4G6OfmJwIDAQABAoIBAGO5rvU4/eT7UJoj\nC3Pbsy6oUCPxQIXADSVaCkF4mhHc2eBKetSZc+kz2p6AeLjXnKEjnp9WDsCqRIIA\nfnGzTU3jzdtWQO7oLXhp3s/ooig0puuj9YYwM9BK+1WyxST/KHVjd9Hivilzygaw\nHJb6XAPA/DiaQOr6SxxyNI2E8E2meH35efKv4bpAnNiU1k5VVNm38XWRqdU3Pjdc\n8Rl+50YsLG06DqEsAqiXzobU9+YRitQFXErBBe1EmYkIf5sTpg8ZW552d5IdTK7V\nlJsspNxgroidSb7DiYwDA9+4JurqlAaZwVb6AgrlXyqaFCtUj7BWlObjY4aeQE2h\n8+LjbgECgYEA0QVokrbb/89gNg3mVmlJFhvsyp+rQyAe3KKvo0c35+n8Cv1HmUtn\nABLPg4xDE8ZXILonk53N5AEy1PYEKL7JwlgpXorgIbzaI4AwWh9qwn7NZDJV2zYC\nKUev8MY1UkogiKOctfP6jFkAhe2FbchVyPpPkLQxQaiuF7woyA6zyhECgYEA1EHR\npQRR05ns538WGtC5ytHWTDe0qmPOnn5gcSXyL/VGYTpfGmW+yJde1PcN+3Ukh5Wx\nediQBylnJSWVM3GLei/ETk4MG1Cs1q7fRBuqeUFL2rhBoMIWw2Y4MaBeY+tNzSWA\nXsJEwSZtWJbdlXWzveM8OmeUkS/Neg9PV8znNLcCgYAbkZ8NWtkBkJScDJFI7HIb\nXGuK/ixUmjP33e1Ul9wj1pTLzkRXT76yH8kHDMT8IrjzNBpsOfAiFpZhyGEcDq4F\n2CL8uUx+pq4O6KV3/ZTTOm5UvN7eHu2CDFaEZ2A5DlXkL9BHn3p4cHTFNWLX7AiE\njZ9Y8qtcgacUslieqnHEQQKBgQCkBCBN1WKtkloAILIiEnwe/7sKtlkC+ZDl5F39\n0QaujGfQJdzrdwfP1ThQdH/3eXO62a+EqhXRkurDR6FdWTYgOt0EbUbprJOCaSrZ\nZE981zoYTx1XbeNNJqXxoyyNJXy/M2VY0+FxJ5KDTED5hzRXXUpjDzs8XaX31fDH\ntexLTQKBgQCwhsWc0rA8tE1C4vjp5qAKsZxB7WNOLmkMxyU9Iw5tC3dHnwxUJZkA\nvNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----", |
||
| − | "private_key_type": "rsa", |
||
| − | "serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1" |
||
| − | }, |
||
| − | "warnings": null |
||
| − | </PRE> |
||
| − | }} |
||
| − | Из JSON можно выделить отдельные поля |
||
| − | <PRE> |
||
| − | cat vault.example.home.crt | jq -r .data.ca_chain[] > vault.example.home.ca_chain.pem |
||
| − | cat vault.example.home.crt | jq -r .data.certificate > vault.example.home.certificate.pem |
||
| − | cat vault.example.home.crt | jq -r .data.issuing_ca > vault.example.home.issuing_ca.pem |
||
| − | </PRE> |
||
| − | |||
| − | ====Сертификат сервера==== |
||
| − | Наиболее интересные поля - ожидаемые значения: |
||
| − | |||
| − | * CN = '''vault.example.home''' |
||
| − | * X509v3 Subject Alternative Name: DNS:pki.example.home, DNS:vault.example.home |
||
| − | * IP адреса в AltNames не присутвуют |
||
| − | |||
| − | <PRE> |
||
| − | openssl x509 -in vault.example.home.certificate.pem -text -noout |
||
| − | </PRE> |
||
| − | <PRE> |
||
| − | Certificate: |
||
| − | Data: |
||
| − | Version: 3 (0x2) |
||
| − | Serial Number: |
||
| − | 28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1 |
||
| − | Signature Algorithm: sha256WithRSAEncryption |
||
| − | Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
||
| − | Validity |
||
| − | Not Before: Oct 6 11:41:54 2022 GMT |
||
| − | Not After : Oct 5 11:42:20 2027 GMT |
||
| − | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st 322 app. 311, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home |
||
| − | Subject Public Key Info: |
||
| − | Public Key Algorithm: rsaEncryption |
||
| − | RSA Public-Key: (2048 bit) |
||
| − | Modulus: |
||
| − | 00:ad:4e:38:25:33:11:b0:aa:ab:1a:17:7f:8e:df: |
||
| − | ... |
||
| − | e5:80:12:b9:d2:68:29:5e:85:d3:7a:3e:06:e8:e7: |
||
| − | e6:27 |
||
| − | Exponent: 65537 (0x10001) |
||
| − | X509v3 extensions: |
||
| − | X509v3 Key Usage: critical |
||
| − | Digital Signature, Key Encipherment |
||
| − | X509v3 Extended Key Usage: |
||
| − | TLS Web Server Authentication |
||
| − | X509v3 Subject Key Identifier: |
||
| − | 4C:4C:22:C1:44:68:25:D0:6B:AA:7F:AB:5C:8E:16:F5:B7:BC:DF:AF |
||
| − | X509v3 Authority Key Identifier: |
||
| − | keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50 |
||
| − | |||
| − | Authority Information Access: |
||
| − | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca |
||
| − | |||
| − | X509v3 Subject Alternative Name: |
||
| − | DNS:pki.example.home, DNS:vault.example.home |
||
| − | X509v3 CRL Distribution Points: |
||
| − | |||
| − | Full Name: |
||
| − | URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl |
||
| − | |||
| − | Signature Algorithm: sha256WithRSAEncryption |
||
| − | 7a:ee:f9:5a:88:dc:ed:0d:b1:f7:26:97:d9:fa:98:e7:b3:43: |
||
| − | ... |
||
| − | </PRE> |
||
| − | ====Промежуточный CA==== |
||
| − | <PRE> |
||
| − | openssl x509 -in vault.example.home.issuing_ca.pem -text -noout |
||
| − | </PRE> |
||
| − | * Видно '''CN = Intermediate CA for service ETCd''', другими словами это промежуточный сертификат удостоверяющего центра (СА) для ETCd |
||
| − | <PRE> |
||
| − | Certificate: |
||
| − | Data: |
||
| − | Version: 3 (0x2) |
||
| − | Serial Number: |
||
| − | 35:0e:d5:7b:85:55:57:d3:99:ed:2c:35:c7:db:d3:99:ac:9b:a3:01 |
||
| − | Signature Algorithm: sha256WithRSAEncryption |
||
| − | Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2 |
||
| − | Validity |
||
| − | Not Before: Oct 3 15:53:05 2022 GMT |
||
| − | Not After : Sep 28 15:53:35 2042 GMT |
||
| − | Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd |
||
| − | Subject Public Key Info: |
||
| − | Public Key Algorithm: rsaEncryption |
||
| − | RSA Public-Key: (2048 bit) |
||
| − | Modulus: |
||
| − | 00:c3:04:35:f0:29:59:33:db:a3:8a:88:f6:44:b0: |
||
| − | ... |
||
| − | 58:4a:d6:3d:3c:5d:3f:42:a0:d8:5b:65:5f:71:ba: |
||
| − | 3e:57 |
||
| − | Exponent: 65537 (0x10001) |
||
| − | X509v3 extensions: |
||
| − | X509v3 Key Usage: critical |
||
| − | Certificate Sign, CRL Sign |
||
| − | X509v3 Basic Constraints: critical |
||
| − | CA:TRUE |
||
| − | X509v3 Subject Key Identifier: |
||
| − | 60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50 |
||
| − | X509v3 Authority Key Identifier: |
||
| − | keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C |
||
| − | |||
| − | Authority Information Access: |
||
| − | CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_root_ca/ca |
||
| − | |||
| − | X509v3 CRL Distribution Points: |
||
| − | |||
| − | Full Name: |
||
| − | URI:http://vault.home:8200/v1/k8s_pki_root_ca/crl |
||
| − | |||
| − | Signature Algorithm: sha256WithRSAEncryption |
||
| − | 65:f8:9d:6c:6d:6a:14:d3:37:32:ae:c1:de:26:f3:c8:9f:e6: |
||
| − | ... |
||
| − | 42:08:aa:6b:41:63:8a:db:df:61:03:b6:a8:8c:52:08:99:2d: |
||
| − | fa:40:f7:56 |
||
| − | </PRE> |
||
| − | |||
| − | ====Верефикация==== |
||
| − | Окончательная проверка цепочки доверия |
||
| − | <br> |
||
| − | Корневой Сертификат → Промежуточный для СА Etcd → Тестовый Сертификат |
||
| − | |||
| − | |||
| − | * Корневой сертификат не является секретным (в отличие от ключа!) и его всегда можно скачать с Vault: |
||
| − | <PRE> |
||
| − | echo "-----BEGIN CERTIFICATE-----" > k8s_pki_root_ca.pem && \ |
||
| − | curl "http://vault.home:8200/v1/k8s_pki_root_ca/ca" | base64 >> k8s_pki_root_ca.pem && \ |
||
| − | echo "-----END CERTIFICATE-----" >> k8s_pki_root_ca.pem |
||
| − | </PRE> |
||
| − | * Указать промежуточный как untrusted (или добавить в доверенные) |
||
| − | <PRE> |
||
| − | openssl \ |
||
| − | verify \ |
||
| − | -verbose \ |
||
| − | -CAfile k8s_pki_root_ca.pem \ |
||
| − | -untrusted vault.example.home.issuing_ca.pem \ |
||
| − | vault.example.home.certificate.pem |
||
| − | </PRE> |
||
| − | <PRE> |
||
| − | vault.example.home.certificate.pem: OK |
||
| − | </PRE> |
||
| − | Однако в этой команде меня смущает слово '''-untrusted''' |
||
| − | |||
| − | Второй способ - это создание "бандла" (те поместить в один файл промежуточный CA а за ним сертификат) |
||
| − | <PRE> |
||
| − | cat vault.example.home.issuing_ca.pem > vault.example.home.ca_bundle |
||
| − | cat vault.example.home.certificate.pem >> vault.example.home.ca_bundle |
||
| − | </PRE> |
||
| − | Теперь верификация проходит без беспокоящего '''-untrusted''' |
||
| − | <PRE> |
||
| − | openssl \ |
||
| − | verify \ |
||
| − | -verbose \ |
||
| − | -CAfile k8s_pki_root_ca.pem \ |
||
| − | vault.example.home.ca_bundle |
||
| − | </PRE> |
||
| − | <PRE> |
||
| − | vault.example.home.ca_bundle: OK |
||
| − | </PRE> |
||
| − | ====Верефикация c nginx==== |
||
| − | Для полноты картины создадим тестовый web-сервер и используем подписанный сертификат |
||
| − | |||
| − | * Пример виртуалхоста |
||
| − | * Путь к ключу и сертификату (ключ можно получить из оригинального вывода Vault при создании сертификата, |
||
| − | <PRE> |
||
| − | ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle; |
||
| − | ssl_certificate_key /etc/nginx/certs/vault.example.home.key; |
||
| − | </PRE> |
||
| − | '''Формат в nginx отличается''' - в файле /etc/nginx/certs/vault.example.home.ca_bundle СНАЧАЛА идет сертификат сервера, а потом - промежуточный сертификат (https://nginx.org/en/docs/http/configuring_https_servers.html) |
||
| − | <PRE> |
||
| − | * Полный конфиг |
||
| − | server { |
||
| − | listen 8203 default_server ssl; |
||
| − | root /var/www/html; |
||
| − | server_name vault.example.home; |
||
| − | access_log /var/log/nginx/vault.example.home-access.log postdata; |
||
| − | error_log /var/log/nginx/vault.example.home-error.log; |
||
| − | |||
| − | ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle; |
||
| − | ssl_certificate_key /etc/nginx/certs/vault.example.home.key; |
||
| − | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
||
| − | ssl_ciphers HIGH:!aNULL:!MD5; |
||
| − | |||
| − | location / { |
||
| − | client_body_buffer_size 64k; |
||
| − | client_body_in_single_buffer on; |
||
| − | proxy_pass http://127.0.0.1:8200; |
||
| − | proxy_set_header Host $host:$server_port; |
||
| − | proxy_set_header X-Real-IP $remote_addr; |
||
| − | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||
| − | proxy_set_header X-Forwarded-Proto $scheme; |
||
| − | proxy_http_version 1.1; |
||
| − | proxy_request_buffering off; |
||
| − | } |
||
| − | } |
||
| − | </PRE> |
||
| − | |||
| − | Для того что бы проверить, нужно на том хосте откуда делается запрос добавить сертификат СА в доверенные |
||
| − | * в /usr/local/share/ca-certificates/extra положить СА (его всегда можно скачать) |
||
| − | * запустить update-ca-certificates |
||
| − | <PRE> |
||
| − | # update-ca-certificates |
||
| − | </PRE> |
||
| − | <PRE> |
||
| − | Updating certificates in /etc/ssl/certs... |
||
| − | 1 added, 0 removed; done. |
||
| − | Running hooks in /etc/ca-certificates/update.d... |
||
| − | |||
| − | Adding debian:k8s_pki_root_ca.pem |
||
| − | done. |
||
| − | done. |
||
| − | </PRE> |
||
| − | |||
| − | После этого curl может подключиться без ошибок верефикации |
||
| − | <PRE> |
||
| − | curl -v https://vault.example.home:8203 |
||
| − | </PRE> |
||
| − | <PRE> |
||
| − | * successfully set certificate verify locations: |
||
| − | * CAfile: none |
||
| − | CApath: /etc/ssl/certs |
||
| − | * TLSv1.3 (OUT), TLS handshake, Client hello (1): |
||
| − | * TLSv1.3 (IN), TLS handshake, Server hello (2): |
||
| − | * TLSv1.2 (IN), TLS handshake, Certificate (11): |
||
| − | * TLSv1.2 (IN), TLS handshake, Server key exchange (12): |
||
| − | * TLSv1.2 (IN), TLS handshake, Server finished (14): |
||
| − | * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): |
||
| − | * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): |
||
| − | * TLSv1.2 (OUT), TLS handshake, Finished (20): |
||
| − | * TLSv1.2 (IN), TLS handshake, Finished (20): |
||
| − | * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 |
||
| − | * ALPN, server accepted to use http/1.1 |
||
| − | * Server certificate: |
||
| − | * subject: C=Ukraine; L=Kharkov; street=Lui Pastera st 322 app. 311; postalCode=61172; O=Home Network; OU=IT; CN=vault.example.home |
||
| − | * start date: Oct 6 11:41:54 2022 GMT |
||
| − | * expire date: Oct 5 11:42:20 2027 GMT |
||
| − | * subjectAltName: host "vault.example.home" matched cert's "vault.example.home" |
||
| − | * issuer: C=Ukraine; L=Kharkov; street=Lui Pastera st. 322 app. 131; postalCode=61172; O=K8s The Hardest Way Labs; OU=IT; CN=Intermediate CA for service ETCd |
||
| − | * SSL certificate verify ok. |
||
| − | > GET / HTTP/1.1 |
||
| − | > Host: vault.example.home:8203 |
||
| − | > User-Agent: curl/7.64.0 |
||
| − | > Accept: */* |
||
| − | > |
||
| − | < HTTP/1.1 404 Not Found |
||
| − | < Server: nginx/1.14.2 |
||
| − | < Date: Fri, 07 Oct 2022 17:22:22 GMT |
||
| − | < Content-Type: text/plain; charset=utf-8 |
||
| − | < Content-Length: 19 |
||
| − | < Connection: keep-alive |
||
| − | < Cache-Control: no-store |
||
| − | < X-Content-Type-Options: nosniff |
||
| − | </PRE> |
||
| − | Код 404 тут ожидаем так как нет задачи получить данные, а только проверить правильность настройки SSL |
||
==Получение клиентского сертефиката== |
==Получение клиентского сертефиката== |
||
Версия 20:14, 11 октября 2022
Вводная часть
Тут описывается создание сертификатов для etcd
Это продолжение Статьи про создание промежуточного СА
Упрощение работы
Путь к PKI (k8s_pki_intermediate_ca_for_service_etcd) встречается многократно, и он вынесен в переменную
cat 00_env
export PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd"
Роли и пользователи для peer-to-peer сертификатов
В кластере участвуют три сервера, соответственно для каждого из них требуется отдельные настройки - роль, пользователь ...
Роли для получения peer-to-peer сертификатов
Три зоны - три роли, по одной для каждого сервера
client_flag=true server_flag=true enforce_hostnames=true key_usage="DigitalSignature,KeyEncipherment" ext_key_usage="ClientAuth,ServerAuth"
#!/bin/bash
source ./00_env
for AZ in $(seq 1 3);
do
DOMAIN="etcd.master.az${AZ}.k8s.cluster.home"
NAME="${DOMAIN}-client-and-server"
vault \
write \
${PKI_NAME}/roles/${NAME}-role \
country="Ukraine" \
locality="Kharkov" \
street_address="Lui Pastera st 322 app. 311"\
postal_code="61172" \
organization="Home Network" \
ou="IT" \
allowed_domains="${DOMAIN}" \
allow_subdomains=false \
max_ttl="87600h" \
key_bits="2048" \
key_type="rsa" \
allow_any_name=false \
allow_bare_domains=true \
allow_glob_domain=false \
allow_ip_sans=true \
allow_localhost=false \
client_flag=true \
server_flag=true \
enforce_hostnames=true \
key_usage="DigitalSignature,KeyEncipherment" \
ext_key_usage="ClientAuth,ServerAuth" \
require_cn=true
done
Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az1.k8s.cluster.home-client-and-server-role Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az2.k8s.cluster.home-client-and-server-role Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master.az3.k8s.cluster.home-client-and-server-role
Создание политики, пользователя и привязка политики к пользователю
#!/bin/bash
source ./00_env
for AZ in $(seq 1 3);
do
DOMAIN="etcd.master.az${AZ}.k8s.cluster.home"
NAME="${DOMAIN}-client-and-server"
cat << EOF > ${NAME}-policy.hlc
path "${PKI_NAME}/issue/${NAME}-role"
{
capabilities = ["read", "create", "list", "update"]
}
EOF
vault \
policy \
write \
${NAME}-policy \
${NAME}-policy.hlc
vault \
write \
auth/userpass/users/${NAME}-user \
password=${NAME}-password \
policies=" ${NAME}-policy,default"
done
Success! Uploaded policy: etcd.master.az1.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az1.k8s.cluster.home-client-and-server-user Success! Uploaded policy: etcd.master.az2.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az2.k8s.cluster.home-client-and-server-user Success! Uploaded policy: etcd.master.az3.k8s.cluster.home-client-and-server-policy Success! Data written to: auth/userpass/users/etcd.master.az3.k8s.cluster.home-client-and-server-user
Просмотр созданных политик
#!/bin/bash
source ./00_env
echo "---------ROLES---------------------"
vault \
list \
${PKI_NAME}/roles
echo "---------USERS---------------------"
vault \
list \
auth/userpass/users
echo "------------------------------"
for AZ in $(seq 1 3);
do
DOMAIN="etcd.master.az${AZ}.k8s.cluster.home"
NAME="${DOMAIN}-client-and-server"
vault \
policy \
read \
${NAME}-policy
vault \
read \
auth/userpass/users/${NAME}-user
done
Получения сертефикатов
- Получать непосредственно на нодах
- на нодах меняются домены, роли и пользователи
Получение серверного сертефиката
#!/bin/bash
source ./00_env
mkdir -p /etc/etcd/server/
AZ=1
DOMAIN="etcd.master.az${AZ}.k8s.cluster.home"
NAME="${DOMAIN}-client-and-server"
vault \
login \
-method=userpass \
username="${NAME}-user" \
password="${NAME}-password"
echo "========"
vault \
write \
-format=json \
${PKI_NAME}/issue/${NAME}-role \
common_name="${DOMAIN}" \
ttl="43800h" \
> /etc/etcd/server/${DOMAIN}.crt.json
Получение сертификата
#!/bin/bash
PKI_NAME="k8s_pki_intermediate_ca_for_service_etcd"
CERTS_PATH="/etc/etcd/certs/server"
mkdir -p ${CERTS_PATH}
AZ=1
DOMAIN="etcd.master.az${AZ}.k8s.cluster.home"
NAME="${DOMAIN}-client-and-server"
vault \
login \
-method=userpass \
username="${NAME}-user" \
password="${NAME}-password"
echo "========"
vault \
write \
-format=json \
${PKI_NAME}/issue/${NAME}-role \
common_name="${DOMAIN}" \
ttl="43800h" \
> ${CERTS_PATH}/${DOMAIN}.crt.json
cat \
${CERTS_PATH}/${DOMAIN}.crt.json \
| jq -r '.data.private_key' > ${CERTS_PATH}/${DOMAIN}.key
cat \
${CERTS_PATH}/${DOMAIN}.crt.json \
| jq -r '.data.certificate' > ${CERTS_PATH}/${DOMAIN}.pem
cat \
${CERTS_PATH}/${DOMAIN}.crt.json \
| jq -r '.data.ca_chain[]' >> ${CERTS_PATH}/${DOMAIN}.pem
ln -sf ${CERTS_PATH}/${DOMAIN}.key ${CERTS_PATH}/etcd-server-key.pem
ln -sf ${CERTS_PATH}/${DOMAIN}.pem ${CERTS_PATH}/etcd-server-crt.pem
Key Value --- ----- token s.7DfyaDzZZOb9fkV4NU8xR0Gw token_accessor cChs7RffaXPyrtLVmV9VGW8b token_duration 768h token_renewable true token_policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] identity_policies [] policies ["default" "etcd.master.az1.k8s.cluster.home-client-and-server-policy"] token_meta_username etcd.master.az1.k8s.cluster.home-client-and-server-user ========
Получение клиентского сертефиката
Проверка прав (негативный сценарий)
С "серверным" пользователем - нет прав
source ./00_env
vault \
login \
-method=userpass \
username=example-dot-home-server-crt-user \
password=server
Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token s.P9nYzZ3Pev2IeNKaUYvDIDdt token_accessor AbXtLIzNhYJRvv6paZr3U6cn token_duration 768h token_renewable true token_policies ["default" "example-dot-home-server-crt-policy"] identity_policies [] policies ["default" "example-dot-home-server-crt-policy"] token_meta_username example-dot-home-server-crt-user
vault \
write \
-format=json \
${PKI_NAME}/issue/example-dot-home-client-crt \
common_name="vault.example.home" \
alt_names="pki.example.home" \
ttl="43800h" > vault.example.home-client.crt
Error writing data to k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt: Error making API request. URL: PUT http://127.0.0.1:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt Code: 403. Errors: * 1 error occurred: * permission denied
Результат соответствует ожидаемому.
Получение клиентского сертификата c правильным пользователем
vault \
login \
-method=userpass \
username=example-dot-home-any-crt-user \
password=any
vault \
write \
-format=json \
${PKI_NAME}/issue/example-dot-home-client-crt \
common_name="vault.example.home" \
alt_names="pki.example.home" \
ttl="43800h" > vault.example.home-client.crt.json
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token s.vAKcP6hGLv9OHkm8ToBHFq5M
token_accessor OoNShUinoMhne5s8scFcZ0Hm
token_duration 768h
token_renewable true
token_policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"]
identity_policies []
policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"]
token_meta_username example-dot-home-any-crt-user
Проверка полученного результата
cat vault.example.home-client.crt.json | jq -r '.data.certificate' > vault.example.home-client.crt cat vault.example.home-client.crt.json | jq -r '.data.private_key' > vault.example.home-client.key
X509v3 Extended Key Usage: TLS Web Client Authentication
openssl x509 -noout -text -in certificate_client.pem
<PRE>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:de:46:e0:72:1e:2b:28:30:3b:9e:94:f4:da:71:f8:19:5e:26:6d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd
Validity
Not Before: Oct 8 16:53:43 2022 GMT
Not After : Oct 7 16:54:10 2027 GMT
Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c3:21:f6:55:f9:f0:a7:19:52:b9:22:a6:9a:99:
...
05:e5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Key Identifier:
C9:F1:9F:83:D7:0B:B8:F2:7E:BB:84:D1:FE:6F:7E:75:7B:40:F4:86
X509v3 Authority Key Identifier:
keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50
Authority Information Access:
CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca
X509v3 Subject Alternative Name:
DNS:pki.example.home, DNS:vault.example.home
X509v3 CRL Distribution Points:
Full Name:
URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl
Signature Algorithm: sha256WithRSAEncryption
94:bb:a8:54:41:86:16:75:06:e7:fb:5a:5f:e0:56:61:5d:ff:
...
3e:56:1a:6f
Проверка полученного результата
Расширенная проверка - проверить что сертификат нельзя использовать в качестве серверного Конфиг nginx не отличается ничем кроме собственно содержимого сертификата
- Ответ собственно и говорит об этом - unsupported certificate purpose, клиентский сертификат не оч
curl: (60) SSL certificate problem: unsupported certificate purpose More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Проверка прав для пользователя any
- работает каки ожидалось - можно получить сертификаты как для сервера так и для клиента
#!/bin/bash
source ./00_env
unset VAULT_TOKEN
vault \
login \
-method=userpass \
username=example-dot-home-any-crt-user \
password=any
vault \
write \
-format=json \
${PKI_NAME}/issue/example-dot-home-client-crt \
common_name="vault.example.home" \
alt_names="pki.example.home" \
ttl="43800h" > vault.example.home.CLIENT_by_any_user.json
vault \
write \
-format=json \
${PKI_NAME}/issue/example-dot-home-server-crt \
common_name="vault.example.home" \
alt_names="pki.example.home" \
ttl="43800h" > vault.example.home.SERVER_by_any_user.json
