Skip to content

Instantly share code, notes, and snippets.

@rmlandvreugd

rmlandvreugd/00-commands.md

Last active February 24, 2020 12:13
Show Gist options
  • Save rmlandvreugd/73ff280ec76e3a07f26b181722176752 to your computer and use it in GitHub Desktop.
Save rmlandvreugd/73ff280ec76e3a07f26b181722176752 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSSL custom k8s CA #SSL #CA
Raw
00-commands.md

Prepare directory structure and stating files

mkdir -p {root-ca,sub-ca,signing-ca,app-ca}/{certs,crl,csr,db,private}
touch {root-ca,sub-ca,signing-ca,app-ca}/db/index
openssl rand -hex 16  > {root-ca,sub-ca,signing-ca,app-ca}/db/serial
echo 1000 > {root-ca,sub-ca,signing-ca,app-ca}/db/crlnumber

Create csr

openssl req -new \
    -config root-ca.conf \
    -out root-ca/csr/root-ca.csr \
    -keyout root-ca/private/root-ca.key

Self sign the root csr

openssl ca -selfsign \
    -config root-ca.conf \
    -in root-ca/csr/root-ca.csr \
    -out root-ca/certs/root-ca.crt \
    -extensions v3_ca_ext

generate the root ca crl

openssl ca -gencrl \
    -config root-ca.conf \
    -out root-ca/crl/root-ca.crl

Generate cert for root CA OCSP

openssl req -new \
    -newkey rsa:2048 \
    -subj "/C=NL/ST=Zuid-Holland/L=Rotterdam/O=Remalan.COM/OU=Security/CN=OCSP Root Responder/[email protected]" \
    -keyout root-ca/private/root-ocsp.key \
    -out root-ca/csr/root-ocsp.csr
openssl ca \
    -config root-ca.conf \
    -in root-ca/csr/root-ocsp.csr \
    -out root-ca/certs/root-ocsp.crt \
    -extensions ocsp_ext \
    -days 30

Run the root CA OCSP

openssl ocsp \
    -port 9080
    -index root-ca/db/index \
    -rsigner root-ca/certs/root-ocsp.crt \
    -rkey root-ca/private/root-ocsp.key \
    -CA root-ca/certs/root-ca.crt \
    -text

Create sub CA csr

openssl req -new \
    -config sub-ca.conf \
    -out sub-ca/csr/sub-ca.csr \
    -keyout sub-ca/private/sub-ca.key

Create a sub CA

openssl ca \
    -config root-ca.conf \
    -in sub-ca/csr/sub-ca.csr \
    -out sub-ca/certs/sub-ca.crt \
    -extensions sub_ca_ext

generate the sub CA crl

openssl ca -gencrl \
    -config sub-ca.conf \
    -out sub-ca/crl/sub-ca.crl

Generate cert for sub CA OCSP

openssl req -new \
    -newkey rsa:2048 \
    -subj "/C=NL/ST=Zuid-Holland/L=Rotterdam/O=Remalan.COM/OU=Security/CN=OCSP Sub Responder/[email protected]" \
    -keyout sub-ca/private/sub-ocsp.key \
    -out sub-ca/csr/sub-ocsp.csr
openssl ca \
    -config sub-ca.conf \
    -in sub-ca/csr/sub-ocsp.csr \
    -out sub-ca/certs/sub-ocsp.crt \
    -extensions ocsp_ext \
    -days 15

Create signing CA csr

openssl req -new \
    -config signing-ca.conf \
    -out signing-ca/csr/signing-ca.csr \
    -keyout signing-ca/private/signing-ca.key

Create signing CA

openssl ca \
    -config sub-ca.conf \
    -in signing-ca/csr/signing-ca.csr \
    -out signing-ca/certs/signing-ca.crt \
    -extensions sign_ca_ext

generate the signing CA crl

openssl ca -gencrl \
    -config signing-ca.conf \
    -out signing-ca/crl/signing-ca.crl

Generate cert for signing CA OCSP

openssl req -new \
    -newkey rsa:2048 \
    -subj "/C=NL/ST=Zuid-Holland/L=Rotterdam/O=Remalan.COM/OU=Security/CN=OCSP Signing Responder/[email protected]" \
    -keyout signing-ca/private/signing-ocsp.key \
    -out signing-ca/csr/signing-ocsp.csr
openssl ca \
    -config signing-ca.conf \
    -in signing-ca/csr/signing-ocsp.csr \
    -out signing-ca/certs/signing-ocsp.crt \
    -extensions ocsp_ext \
    -days 15

Create app CA csr

openssl req -new -nodes \
    -config signing-ca.conf \
    -out app-ca/csr/app-ca.csr \
    -keyout app-ca/private/app-ca.key

Create app CA

openssl ca \
    -config signing-ca.conf \
    -in app-ca/csr/app-ca.csr \
    -out app-ca/certs/app-ca.crt \
    -extensions app_ca_ext

Helm

tiller pair

openssl genrsa -out signing-ca/private/tiller.key 4096
openssl req -new \
    -config signing-ca.conf \
    -key signing-ca/private/tiller.key \
    -out signing-ca/csr/tiller.csr
openssl ca \
    -config signing-ca.conf \
    -in signing-ca/csr/tiller.csr \
    -out signing-ca/certs/tiller.crt \
    -extensions server_ext

helm pair

openssl genrsa -out signing-ca/private/helm.key 4096
openssl req -new \
    -config signing-ca.conf \
    -key signing-ca/private/helm.key \
    -out signing-ca/csr/helm.csr
openssl ca \
    -config signing-ca.conf \
    -in signing-ca/csr/helm.csr \
    -out signing-ca/certs/helm.crt \
    -extensions client_ext
Raw
ca-01-root-ca.conf
[default]
name = root-ca
domain_suffix = vagrant.local
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = "NL"
stateOrProvinceName_default = "Zuid-Holland"
localityName_default = "Rotterdam"
0.organizationName_default = "Remalan.COM"
organizationalUnitName_default = "Security"
commonName_default = "Root CA"
emailAddress_default = "[email protected]"
[ca_default]
home = ./root-ca
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/certs/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = none
default_days = 1825
default_crl_days = 45
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = yes
distinguished_name = ca_dn
req_extensions = ca_ext
x509_extensions = v3_ca_ext
[v3_ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
nsComment = "OpenSSL Generated Root CA Certificate"
[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
[sub_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:3
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash
nsComment = "OpenSSL Generated Intermediate CA Certificate"
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[name_constraints]
permitted;DNS.0=vagrant.local
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
noCheck = yes
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
Raw
ca-02-sub-ca.conf
[default]
name = sub-ca
domain_suffix = vagrant.local
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = "NL"
stateOrProvinceName_default = "Zuid-Holland"
localityName_default = "Rotterdam"
0.organizationName_default = "Remalan.COM"
organizationalUnitName_default = "Security"
commonName_default = "Intermediate CA"
emailAddress_default = "[email protected]"
[ca_default]
home = ./sub-ca
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/certs/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_c_o_match
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = yes
distinguished_name = ca_dn
[sign_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:2
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
nsComment = "OpenSSL Generated Signing CA Certificate"
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
Raw
ca-03-signing-ca.conf
[default]
name = signing-ca
domain_suffix = vagrant.local
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9082
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = "NL"
stateOrProvinceName_default = "Zuid-Holland"
localityName_default = "Rotterdam"
0.organizationName_default = "Remalan.COM"
organizationalUnitName_default = "Security"
commonName_default = "Signing CA"
emailAddress_default = "[email protected]"
[ca_default]
home = ./signing-ca
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/certs/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 183
default_crl_days = 15
default_md = sha256
policy = policy_loose
[policy_c_o_match]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[policy_loose]
# Allow the signing CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = yes
distinguished_name = ca_dn
[app_ca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyCertSign,cRLSign
subjectKeyIdentifier = hash
nsComment = "OpenSSL Generated Application CA Certificate"
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment