/pki-notes

pki-notes

Diagram from Wiki

Keywords

  • CA = Certificate Authority

  • VA = Validation Authority

  • RA = Registration Authority

  • Private Key

  • Public Certificate

  • Certificate signing request (CSR)

  • Certificate revocation list (CRL)

Certifiate types

  • Domain Validation (DV) is the lowest level of validation, and verifies that whoever requests the certificate controls the domain that it protects.
  • Organization Validation (OV) verifies the identity of the organization (e.g. a business, nonprofit, or government organization) of the certificate applicant.
  • Individual Validation (IV) verifies the identity of the individual person requesting the certificate.
  • Extended Validation (EV), like OV, verifies the identity of an organization. However, EV represents a higher standard of trust than OV and requires more rigorous validation checks to meet the standard of the CA/Browser Forum’s Extend.

Create self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt

Instruction for self-signed CA

mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Update openssl.conf for new directories and extensions

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

Create root CA private key

cd /root/ca
openssl genrsa -aes256 -out private/ca.key.pem 4096

# Enter pass phrase for ca.key.pem: secretpassword
# Verifying - Enter pass phrase for ca.key.pem: secretpassword

chmod 400 private/ca.key.pem

Create root CA certificate

cd /root/ca
openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem

Prepare for intermediate CA

mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# Create CRL number to track CRL
echo 1000 > /root/ca/intermediate/crlnumber

Create and update openssl.conf for intermediate CA with above directory

[ CA_default ]
dir             = /root/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

Create intermediate CA private key

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096

# Enter pass phrase for intermediate.key.pem: secretpassword
# Verifying - Enter pass phrase for intermediate.key.pem: secretpassword

chmod 400 intermediate/private/intermediate.key.pem

Create CSR for intermediate

# cd /root/ca
# openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

Create intermediate CA certificate and sign with root CA

cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem

chmod 444 intermediate/certs/intermediate.cert.pem

Verify intermediate CA cert with root CA

openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

Create CA cert chain

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

Create client private key, CSR and certificate and sign with CA

# following can run multiple time based on different domain and requirements
#Create Client Cert private key
openssl genrsa -des3 -out example.key 2048

#Remove passphrase
openssl rsa -in example.key -out example.key.insecure


#Create CSR
# openssl req -new -key example.key.insecure -out example.csr -config openssl.cnf
openssl req -config intermediate/openssl.cnf \
      -key example.key \
      -new -sha256 -out example.csr


#Create Certificate using CA and CSR
# openssl ca -in example.csr -config openssl.cnf
openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in example.csr \
      -out example.cert

# convert to p12 file
openssl pkcs12 -export -inkey cert_key_pem.txt -in cert_key_pem.txt -out cert_key.p12

Create tls secret file for k8s

cat example.pem | base64 -w 0 > tls.crt
cat example.key | base64 -w 0 > tls.key

TLSCERT=$(cat $REGISTRY_INGRESS_HOSTNAME.crt | base64 -w 0)
TLSKEY=$(cat $REGISTRY_INGRESS_HOSTNAME.key | base64 -w 0)

SEDEXPRS=(
  "-e" "s/{{tlscert}}/$TLSCERT/g"
  "-e" "s/{{tlskey}}/$TLSKEY/g"
)

cat <<EOF | sed ${SEDEXPRS[*]} | kubectl replace -f -
apiVersion: v1
kind: Secret
metadata:
  name: registry-tls-data
type: Opaque
data:
  tls.crt: {{tlscert}}
  tls.key: {{tlskey}}
EOF