diff --git a/cmd/kubeadm/app/phases/certs/pki_helpers.go b/cmd/kubeadm/app/phases/certs/pki_helpers.go index d97b427fd8d..dac7379b4b3 100644 --- a/cmd/kubeadm/app/phases/certs/pki_helpers.go +++ b/cmd/kubeadm/app/phases/certs/pki_helpers.go @@ -51,6 +51,7 @@ func newServerKeyAndCert(caCert *x509.Certificate, caKey *rsa.PrivateKey, altNam config := certutil.Config{ CommonName: "kube-apiserver", AltNames: altNames, + Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } cert, err := certutil.NewSignedCert(config, key, caCert, caKey) if err != nil { @@ -65,8 +66,10 @@ func NewClientKeyAndCert(config *certutil.Config, caCert *x509.Certificate, caKe if err != nil { return nil, nil, fmt.Errorf("unable to create private key [%v]", err) } - - cert, err := certutil.NewSignedCert(*config, key, caCert, caKey) + // force usage to client usage + configCopy := *config + configCopy.Usages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} + cert, err := certutil.NewSignedCert(configCopy, key, caCert, caKey) if err != nil { return nil, nil, fmt.Errorf("unable to sign certificate [%v]", err) } diff --git a/federation/pkg/kubefed/init/init.go b/federation/pkg/kubefed/init/init.go index 3b3c23aee35..f658968af50 100644 --- a/federation/pkg/kubefed/init/init.go +++ b/federation/pkg/kubefed/init/init.go @@ -334,11 +334,11 @@ func genCerts(svcNamespace, name, svcName, localDNSZoneName string, ips, hostnam if err != nil { return nil, fmt.Errorf("failed to create federation API server key and certificate: %v", err) } - cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN) + cm, err := triple.NewClientKeyPair(ca, ControllerManagerCN, nil) if err != nil { return nil, fmt.Errorf("failed to create federation controller manager client key and certificate: %v", err) } - admin, err := triple.NewClientKeyPair(ca, AdminCN) + admin, err := triple.NewClientKeyPair(ca, AdminCN, nil) if err != nil { return nil, fmt.Errorf("failed to create client key and certificate for an admin: %v", err) } diff --git a/staging/src/k8s.io/client-go/pkg/util/cert/cert.go b/staging/src/k8s.io/client-go/pkg/util/cert/cert.go index 05664c927be..941d6db67c6 100644 --- a/staging/src/k8s.io/client-go/pkg/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/pkg/util/cert/cert.go @@ -25,6 +25,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "errors" "fmt" "math" "math/big" @@ -42,6 +43,7 @@ type Config struct { CommonName string Organization []string AltNames AltNames + Usages []x509.ExtKeyUsage } // AltNames contains the domain names and IP addresses that will be added @@ -86,6 +88,12 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca if err != nil { return nil, err } + if len(cfg.CommonName) == 0 { + return nil, errors.New("must specify a CommonName") + } + if len(cfg.Usages) == 0 { + return nil, errors.New("must specify at least one ExtKeyUsage") + } certTmpl := x509.Certificate{ Subject: pkix.Name{ @@ -98,7 +106,7 @@ func NewSignedCert(cfg Config, key *rsa.PrivateKey, caCert *x509.Certificate, ca NotBefore: caCert.NotBefore, NotAfter: time.Now().Add(duration365d).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + ExtKeyUsage: cfg.Usages, } certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) if err != nil { diff --git a/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go b/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go index 98844aa01be..8719b82e312 100644 --- a/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go +++ b/staging/src/k8s.io/client-go/pkg/util/cert/triple/triple.go @@ -80,6 +80,7 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain config := certutil.Config{ CommonName: commonName, AltNames: altNames, + Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, } cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) if err != nil { @@ -92,14 +93,16 @@ func NewServerKeyPair(ca *KeyPair, commonName, svcName, svcNamespace, dnsDomain }, nil } -func NewClientKeyPair(ca *KeyPair, commonName string) (*KeyPair, error) { +func NewClientKeyPair(ca *KeyPair, commonName string, organizations []string) (*KeyPair, error) { key, err := certutil.NewPrivateKey() if err != nil { return nil, fmt.Errorf("unable to create a client private key: %v", err) } config := certutil.Config{ - CommonName: commonName, + CommonName: commonName, + Organization: organizations, + Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, } cert, err := certutil.NewSignedCert(config, key, ca.Cert, ca.Key) if err != nil {