I am trying to have a SAN certificates in Kubernetes using CSR. The steps I am following are listed below, but somehow, the resultant certificate is not having Subject Alternate name field in it. Can someone please point what is being done wrong here ?
// generate the key
openssl genrsa -out myuser.key 4096
// generate the CSR with subjectAltName
:
openssl req -newkey rsa:4096 -nodes -keyout myuser.key -subj "/C=CN/ST=GD/L=SZ/CN=myuser/subjectAltName=myuser.default.svc" -out myuser.csr
//create the CSR in kubernetes to get it signed by kubernetes cluster CA.
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: myuser
spec:
request: $(cat myuser.csr |base64 |tr -d '\n')
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 86400 # one day
usages:
- client auth
EOF
// Approve the CSR
kubectl certificate approve myuser
// fetch the Kubernetes CA signed cert:
kubectl get csr myuser -o go-template='{{.status.certificate| base64decode}}' > myuser.crt
// the resultant cert is not having Subject Alt name field.
openssl x509 -in myuser.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:f3:86:63:3b:dc:ae:9a:de:9b:e4:02:89:c9:4f:27
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: May 29 19:44:39 2022 GMT
Not After : May 30 19:44:39 2022 GMT
Subject: C = CN, ST = GD, L = SZ, CN = myuser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:87:d0:0b:b0:64:dd:f9:93:22:96:91:b1:64:78:
ac:3b:02:9e:92:20:46:2e:3a:b7:7b:c5:e1:de:67:
d8:33:87:08:4b:02:b1:8a:2b:d0:b3:f1:d1:3d:17:
ec:ad:52:c9:d6:56:1d:35:ba:80:18:14:d5:59:f7:
9d:d2:fc:97:61:90:32:ca:ce:b3:d2:74:a7:73:32:
df:8e:ad:00:77:7d:ff:3f:27:96:0f:48:ee:06:29:
d2:06:ed:13:7c:89:14:12:e6:c3:50:c3:46:31:a3:
6b:36:8b:07:17:c0:69:20:04:ac:dc:0e:75:7b:5b:
d7:79:98:30:2e:14:9a:b4:57:09:ce:43:2c:ad:af:
4d:77:50:75:de:0e:41:93:a4:d3:24:78:b2:de:48:
0f:1d:9f:4c:57:7c:bc:87:09:73:44:8c:7f:ee:3a:
8c:33:03:29:18:6d:d1:d9:ec:ad:71:b8:cc:ce:47:
4d:0d:38:78:7e:e5:79:bf:7d:77:c7:4e:ac:75:f6:
0d:cf:f1:d6:73:c8:f6:bc:f1:65:7f:f5:7b:07:5d:
20:31:dd:dd:23:3c:9b:50:73:16:19:56:d0:a2:f5:
10:85:85:cb:36:b6:b8:d3:f9:91:15:b8:a0:ca:3a:
ef:92:31:32:f1:a1:3c:0c:b5:59:e7:a0:93:ed:fa:
6c:9e:be:7c:34:3b:8d:28:72:9c:8d:3a:19:e8:bf:
b4:44:b6:3b:31:9d:00:7d:7b:c1:6b:bb:60:9b:47:
e1:65:a2:80:c9:c1:b6:7e:28:40:4a:1c:f0:53:3a:
a4:fb:72:2b:8d:92:ad:1f:9d:a3:cc:65:45:ff:db:
0a:d1:85:6d:f4:b5:93:f7:5d:6d:d9:8f:90:81:2e:
55:0e:02:a9:17:7c:a6:31:76:76:6e:e9:18:7e:57:
2f:fb:f0:30:8b:11:bf:cd:f9:fe:32:c5:eb:45:fa:
bd:98:83:3a:4b:ca:13:9b:1c:13:14:16:81:fd:d0:
b4:05:05:32:76:19:d8:07:bc:bc:4a:f3:41:ff:bc:
73:38:2e:d3:20:7d:39:4e:3e:08:79:c0:af:a9:76:
9d:38:d0:a8:b1:af:9a:7f:b6:73:30:eb:dd:ed:2e:
00:4d:75:0b:8b:5e:eb:ea:4a:5e:37:e0:f2:8f:9c:
06:ea:da:63:65:9d:8c:6d:db:3e:1f:3d:d6:a1:d4:
f1:00:f4:1d:69:cf:f9:48:e0:3f:51:5b:17:61:2d:
0d:73:98:45:99:e8:7f:67:03:fd:22:1f:eb:61:de:
0e:2a:2d:9f:8d:cf:2f:e9:10:53:96:b3:5c:89:c7:
d4:a4:bb:00:18:1f:97:da:46:b0:a8:37:26:d0:ab:
b2:fb:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
53:24:BB:4F:1D:3E:3A:4B:83:EB:DC:89:92:44:40:78:78:32:3B:67
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
48:1f:40:80:0e:00:40:10:e1:1e:73:ca:5c:3b:ec:5a:d7:59:
69:40:ce:9f:10:d0:32:ee:85:9e:68:21:56:91:b9:e3:68:e0:
d9:94:a8:93:41:37:68:23:79:f4:94:79:50:d2:0f:e8:cc:81:
9e:3c:cf:1e:ee:92:4c:c5:fb:17:04:52:73:01:2e:2d:42:29:
ed:bf:35:f8:73:56:60:40:80:e2:f4:f1:ef:57:e1:6f:43:71:
d0:d2:b0:38:96:ee:af:9d:21:e7:84:da:af:87:2e:38:21:6e:
03:ae:d8:8c:d0:4b:2e:c2:a8:e5:7e:d8:0e:a7:e0:4b:37:5d:
e9:12:c4:ec:94:bc:23:4c:cc:59:72:60:c1:18:d0:ec:64:1c:
2e:e3:76:26:1a:60:1a:4d:92:83:c7:54:8f:4d:95:42:26:09:
be:6b:ec:e7:39:3b:3c:f2:cc:37:42:4d:71:6e:ca:9c:fa:dc:
f6:3e:00:84:be:68:b4:3a:f4:f9:91:5d:9b:a8:8b:66:e2:bc:
25:8b:38:5a:03:7d:97:80:7e:20:35:15:76:20:70:6f:54:66:
a2:02:36:91:84:e8:e7:10:8d:48:31:44:b4:c7:b7:3c:d0:be:
c1:61:d3:01:64:fa:1a:c0:74:2d:8c:c7:19:81:30:64:86:9e:
5e:ac:7e:16
CodePudding user response:
Try this:
$> cat <<EOF >openssl.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER_IP>
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = myuser
DNS.2 = myuser.default.svc
DNS.3 = myuser.default.svc.cluster.local
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
$> openssl req -newkey rsa:4096 -nodes -keyout myuser.key -subj "/C=CN/ST=GD/L=SZ/CN=myuser" -out myuser.csr -config openssl.cnf
$> openssl req -text -noout -verify -in myuser.csr
....
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:myuser, ...
This should be enough for signed certificate to include those. While with the commands you showed us: this extension is missing from your CSR.
Side-note, instead of:
$(cat myuser.csr |base64 |tr -d '\n')
You could:
$(base64 -w0 myuser.csr)