Add ExtendedKeyUsages clientAuth

Question

Add ExtendedKeyUsages clientAuth

Closed this issue 4 years ago · 7 comments

Certificates generated using the service.beta.openshift.io/serving-cert-secret-name annotation receive only serverAuth for x509 v3 extension ExtendedKeyUsages:

#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

When trying to use the provided certificate for a client in mutual TLS, the server will not allow the certificate:

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

Is it possible to add clientAuth to the ExtendedKeyUsages via the cryptoextensions as mutual TLS may be a common usage scenario for certificates generated using the annotation?

Answer 1 · 2019-06-14T21:39:32.000Z

We would not want to just add client usages to the certs without being able to authorize that some client is allowed to have a client cert. I understand the desire for mTLS with serving certs, but the solution would be more involved than that. For now, a cluster admin can use the service-CA signing secret and issue a client cert with it using openssl.

Answer 2 · 2020-09-11T16:33:37.000Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

Answer 3 · 2020-10-11T18:24:28.000Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

Answer 4 · 2020-11-10T20:11:16.000Z

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Answer 5 · 2020-11-10T20:11:33.000Z

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Answer 6 · 2021-07-09T15:17:30.000Z

/reopen

Would it be possible to add an annotation to opt in for additional ExtendedKeyUsages?

Answer 7 · 2021-07-09T15:17:38.000Z

@michaelgeorgeattard: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Would it be possible to add an annotation to opt in for additional ExtendedKeyUsages?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.