Home > Blockchain >  SAN Certificates using Kubernetes CSR
SAN Certificates using Kubernetes CSR

Time:06-02

I am trying to have a SAN certificates in Kubernetes using CSR. The steps I am following are listed below, but somehow, the resultant certificate is not having Subject Alternate name field in it. Can someone please point what is being done wrong here ?

// generate the key

openssl genrsa -out myuser.key 4096

// generate the CSR with subjectAltName:

openssl req -newkey rsa:4096 -nodes -keyout myuser.key -subj "/C=CN/ST=GD/L=SZ/CN=myuser/subjectAltName=myuser.default.svc" -out myuser.csr

//create the CSR in kubernetes to get it signed by kubernetes cluster CA.

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: myuser
spec:
  request: $(cat myuser.csr |base64 |tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth
EOF

// Approve the CSR

kubectl certificate approve  myuser

// fetch the Kubernetes CA signed cert:

kubectl get csr myuser   -o go-template='{{.status.certificate| base64decode}}' > myuser.crt

// the resultant cert is not having Subject Alt name field.

openssl x509 -in myuser.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d8:f3:86:63:3b:dc:ae:9a:de:9b:e4:02:89:c9:4f:27
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes
        Validity
            Not Before: May 29 19:44:39 2022 GMT
            Not After : May 30 19:44:39 2022 GMT
        Subject: C = CN, ST = GD, L = SZ, CN = myuser
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:87:d0:0b:b0:64:dd:f9:93:22:96:91:b1:64:78:
                    ac:3b:02:9e:92:20:46:2e:3a:b7:7b:c5:e1:de:67:
                    d8:33:87:08:4b:02:b1:8a:2b:d0:b3:f1:d1:3d:17:
                    ec:ad:52:c9:d6:56:1d:35:ba:80:18:14:d5:59:f7:
                    9d:d2:fc:97:61:90:32:ca:ce:b3:d2:74:a7:73:32:
                    df:8e:ad:00:77:7d:ff:3f:27:96:0f:48:ee:06:29:
                    d2:06:ed:13:7c:89:14:12:e6:c3:50:c3:46:31:a3:
                    6b:36:8b:07:17:c0:69:20:04:ac:dc:0e:75:7b:5b:
                    d7:79:98:30:2e:14:9a:b4:57:09:ce:43:2c:ad:af:
                    4d:77:50:75:de:0e:41:93:a4:d3:24:78:b2:de:48:
                    0f:1d:9f:4c:57:7c:bc:87:09:73:44:8c:7f:ee:3a:
                    8c:33:03:29:18:6d:d1:d9:ec:ad:71:b8:cc:ce:47:
                    4d:0d:38:78:7e:e5:79:bf:7d:77:c7:4e:ac:75:f6:
                    0d:cf:f1:d6:73:c8:f6:bc:f1:65:7f:f5:7b:07:5d:
                    20:31:dd:dd:23:3c:9b:50:73:16:19:56:d0:a2:f5:
                    10:85:85:cb:36:b6:b8:d3:f9:91:15:b8:a0:ca:3a:
                    ef:92:31:32:f1:a1:3c:0c:b5:59:e7:a0:93:ed:fa:
                    6c:9e:be:7c:34:3b:8d:28:72:9c:8d:3a:19:e8:bf:
                    b4:44:b6:3b:31:9d:00:7d:7b:c1:6b:bb:60:9b:47:
                    e1:65:a2:80:c9:c1:b6:7e:28:40:4a:1c:f0:53:3a:
                    a4:fb:72:2b:8d:92:ad:1f:9d:a3:cc:65:45:ff:db:
                    0a:d1:85:6d:f4:b5:93:f7:5d:6d:d9:8f:90:81:2e:
                    55:0e:02:a9:17:7c:a6:31:76:76:6e:e9:18:7e:57:
                    2f:fb:f0:30:8b:11:bf:cd:f9:fe:32:c5:eb:45:fa:
                    bd:98:83:3a:4b:ca:13:9b:1c:13:14:16:81:fd:d0:
                    b4:05:05:32:76:19:d8:07:bc:bc:4a:f3:41:ff:bc:
                    73:38:2e:d3:20:7d:39:4e:3e:08:79:c0:af:a9:76:
                    9d:38:d0:a8:b1:af:9a:7f:b6:73:30:eb:dd:ed:2e:
                    00:4d:75:0b:8b:5e:eb:ea:4a:5e:37:e0:f2:8f:9c:
                    06:ea:da:63:65:9d:8c:6d:db:3e:1f:3d:d6:a1:d4:
                    f1:00:f4:1d:69:cf:f9:48:e0:3f:51:5b:17:61:2d:
                    0d:73:98:45:99:e8:7f:67:03:fd:22:1f:eb:61:de:
                    0e:2a:2d:9f:8d:cf:2f:e9:10:53:96:b3:5c:89:c7:
                    d4:a4:bb:00:18:1f:97:da:46:b0:a8:37:26:d0:ab:
                    b2:fb:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                53:24:BB:4F:1D:3E:3A:4B:83:EB:DC:89:92:44:40:78:78:32:3B:67
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        48:1f:40:80:0e:00:40:10:e1:1e:73:ca:5c:3b:ec:5a:d7:59:
        69:40:ce:9f:10:d0:32:ee:85:9e:68:21:56:91:b9:e3:68:e0:
        d9:94:a8:93:41:37:68:23:79:f4:94:79:50:d2:0f:e8:cc:81:
        9e:3c:cf:1e:ee:92:4c:c5:fb:17:04:52:73:01:2e:2d:42:29:
        ed:bf:35:f8:73:56:60:40:80:e2:f4:f1:ef:57:e1:6f:43:71:
        d0:d2:b0:38:96:ee:af:9d:21:e7:84:da:af:87:2e:38:21:6e:
        03:ae:d8:8c:d0:4b:2e:c2:a8:e5:7e:d8:0e:a7:e0:4b:37:5d:
        e9:12:c4:ec:94:bc:23:4c:cc:59:72:60:c1:18:d0:ec:64:1c:
        2e:e3:76:26:1a:60:1a:4d:92:83:c7:54:8f:4d:95:42:26:09:
        be:6b:ec:e7:39:3b:3c:f2:cc:37:42:4d:71:6e:ca:9c:fa:dc:
        f6:3e:00:84:be:68:b4:3a:f4:f9:91:5d:9b:a8:8b:66:e2:bc:
        25:8b:38:5a:03:7d:97:80:7e:20:35:15:76:20:70:6f:54:66:
        a2:02:36:91:84:e8:e7:10:8d:48:31:44:b4:c7:b7:3c:d0:be:
        c1:61:d3:01:64:fa:1a:c0:74:2d:8c:c7:19:81:30:64:86:9e:
        5e:ac:7e:16

CodePudding user response:

Try this:

$> cat <<EOF >openssl.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = myuser
DNS.2 = myuser.default.svc
DNS.3 = myuser.default.svc.cluster.local

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF

$> openssl req -newkey rsa:4096 -nodes -keyout myuser.key -subj "/C=CN/ST=GD/L=SZ/CN=myuser" -out myuser.csr -config openssl.cnf

$> openssl req -text -noout -verify -in myuser.csr 
....
    Attributes:
    Requested Extensions:
        X509v3 Subject Alternative Name: 
            DNS:myuser,  ...

This should be enough for signed certificate to include those. While with the commands you showed us: this extension is missing from your CSR.


Side-note, instead of:

$(cat myuser.csr |base64 |tr -d '\n')

You could:

$(base64 -w0 myuser.csr)
  • Related