Merge pull request #59966 from liggitt/self-signed-ca

Automatic merge from submit-queue (batch tested with PRs 59463, 59719, 60181, 58283, 59966). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Split self-signed cert and CA The key usage limitation of TLS Server Auth makes the cert invalid as a CA. This switches to generate a single-use CA, uses it to sign the serving cert, then appends the CA to the cert bytes. * allows a client to continue to reference the cert file as a trust bundle, which now contains a valid CA cert * continues to keep the generated certificate valid only for serving purposes Fixes https://github.com/kubernetes/client-go/issues/311 ```release-note NONE ``` Kubernetes-commit: 5d144152e4d07f3752c05ec24e31d840adcd90a2
2025-08-08 02:44:20 +00:00 · 2018-02-23 00:34:34 -08:00 · 2018-02-23 00:34:34 -08:00 · 93d55aca08
commit 93d55aca08
parent 8b0c96689a dd61bd2530
2 changed files with 117 additions and 87 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -248,331 +248,331 @@
    },
    {
      "ImportPath": "k8s.io/api/admissionregistration/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/admissionregistration/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/apps/v1beta2",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/authentication/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/authentication/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/authorization/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/authorization/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/autoscaling/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/autoscaling/v2beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/batch/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/batch/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/batch/v2alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/certificates/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/core/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/events/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/extensions/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/imagepolicy/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/networking/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/policy/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/rbac/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/scheduling/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/settings/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1alpha1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/api/storage/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/testing",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apimachinery",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1beta1",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/conversion",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/fields",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/labels",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/selection",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/types",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/json",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/net",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/version",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/pkg/watch",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-      "Rev": "c4b8804aa02d17a4a0ef92e7cb86260a6ba58de7"
+      "Rev": "69f93cfab5c1d87f2cbd5e6631af8268b7f5542b"
    },
    {
      "ImportPath": "k8s.io/kube-openapi/pkg/util/proto",
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@ -138,23 +138,50 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
 // Host may be an IP or a DNS name
 // You may also specify additional subject alt names (either ip or dns names) for the certificate
 func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
 	caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
 	}
 	caTemplate := x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA: true,
 	}
 	caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, err
 	}
 	caCertificate, err := x509.ParseCertificate(caDERBytes)
 	if err != nil {
 		return nil, nil, err
 	}
 	priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
 	if err != nil {
 		return nil, nil, err
 	}
 	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
+		SerialNumber: big.NewInt(2),
 		Subject: pkix.Name{
 			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		IsCA: true,
 	}
 	if ip := net.ParseIP(host); ip != nil {
@ -166,16 +193,19 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 	template.IPAddresses = append(template.IPAddresses, alternateIPs...)
 	template.DNSNames = append(template.DNSNames, alternateDNS...)
-	derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, &template, &priv.PublicKey, priv)
+	derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, err
 	}
-	// Generate cert
+	// Generate cert, followed by ca
 	certBuffer := bytes.Buffer{}
 	if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
 		return nil, nil, err
 	}
 	if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil {
 		return nil, nil, err
 	}
 	// Generate key
 	keyBuffer := bytes.Buffer{}