mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 22:46:12 +00:00
Merge pull request #59966 from liggitt/self-signed-ca
Automatic merge from submit-queue (batch tested with PRs 59463, 59719, 60181, 58283, 59966). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Split self-signed cert and CA The key usage limitation of TLS Server Auth makes the cert invalid as a CA. This switches to generate a single-use CA, uses it to sign the serving cert, then appends the CA to the cert bytes. * allows a client to continue to reference the cert file as a trust bundle, which now contains a valid CA cert * continues to keep the generated certificate valid only for serving purposes Fixes https://github.com/kubernetes/client-go/issues/311 ```release-note NONE ```
This commit is contained in:
commit
5d144152e4
@ -138,23 +138,50 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) {
|
|||||||
// Host may be an IP or a DNS name
|
// Host may be an IP or a DNS name
|
||||||
// You may also specify additional subject alt names (either ip or dns names) for the certificate
|
// You may also specify additional subject alt names (either ip or dns names) for the certificate
|
||||||
func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
|
func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
|
||||||
|
caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
caTemplate := x509.Certificate{
|
||||||
|
SerialNumber: big.NewInt(1),
|
||||||
|
Subject: pkix.Name{
|
||||||
|
CommonName: fmt.Sprintf("%s-ca@%d", host, time.Now().Unix()),
|
||||||
|
},
|
||||||
|
NotBefore: time.Now(),
|
||||||
|
NotAfter: time.Now().Add(time.Hour * 24 * 365),
|
||||||
|
|
||||||
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||||
|
BasicConstraintsValid: true,
|
||||||
|
IsCA: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
caDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
caCertificate, err := x509.ParseCertificate(caDERBytes)
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
|
priv, err := rsa.GenerateKey(cryptorand.Reader, 2048)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
template := x509.Certificate{
|
template := x509.Certificate{
|
||||||
SerialNumber: big.NewInt(1),
|
SerialNumber: big.NewInt(2),
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
|
CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
|
||||||
},
|
},
|
||||||
NotBefore: time.Now(),
|
NotBefore: time.Now(),
|
||||||
NotAfter: time.Now().Add(time.Hour * 24 * 365),
|
NotAfter: time.Now().Add(time.Hour * 24 * 365),
|
||||||
|
|
||||||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
||||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
|
||||||
BasicConstraintsValid: true,
|
BasicConstraintsValid: true,
|
||||||
IsCA: true,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ip := net.ParseIP(host); ip != nil {
|
if ip := net.ParseIP(host); ip != nil {
|
||||||
@ -166,16 +193,19 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
|
|||||||
template.IPAddresses = append(template.IPAddresses, alternateIPs...)
|
template.IPAddresses = append(template.IPAddresses, alternateIPs...)
|
||||||
template.DNSNames = append(template.DNSNames, alternateDNS...)
|
template.DNSNames = append(template.DNSNames, alternateDNS...)
|
||||||
|
|
||||||
derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, &template, &priv.PublicKey, priv)
|
derBytes, err := x509.CreateCertificate(cryptorand.Reader, &template, caCertificate, &priv.PublicKey, caKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate cert
|
// Generate cert, followed by ca
|
||||||
certBuffer := bytes.Buffer{}
|
certBuffer := bytes.Buffer{}
|
||||||
if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
|
if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: derBytes}); err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
if err := pem.Encode(&certBuffer, &pem.Block{Type: CertificateBlockType, Bytes: caDERBytes}); err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
|
||||||
// Generate key
|
// Generate key
|
||||||
keyBuffer := bytes.Buffer{}
|
keyBuffer := bytes.Buffer{}
|
||||||
|
Loading…
Reference in New Issue
Block a user