Skip to content

Instantly share code, notes, and snippets.

@IMOKURI

IMOKURI/tls-certs.md

Last active July 10, 2024 05:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save IMOKURI/790cbd2a049792fdf5099b208d4b660f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save IMOKURI/790cbd2a049792fdf5099b208d4b660f to your computer and use it in GitHub Desktop.
Download ZIP
tls certificates
Raw
tls-certs.md 
# CA 秘密鍵
openssl genrsa -out ca-key.pem 2048

# CA 証明書署名要求(CSR)
openssl req -new -key ca-key.pem \
  -subj "/C=JP/ST=Tokyo/O=HPE/CN=Sodor Root CA" \
  -out sodor-ca.csr

# CA 証明書(自己署名)
openssl x509 -req -in sodor-ca.csr \
  -signkey ca-key.pem -out sodor-ca.crt -days 3650


# 秘密鍵
openssl genrsa -out server-key.pem 2048

# 証明書署名要求(CSR)
openssl req -new -key server-key.pem \
  -subj "/C=JP/ST=Tokyo/O=HPE/CN=*.example.com" \
  -out server.csr

# 署名
openssl x509 -req -days 3650 \
  -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") \
  -in server.csr \
  -CA sodor-ca.crt -CAkey ca-key.pem -CAcreateserial \
  -out server.crt
@IMOKURI
Copy link
Copy Markdown
Author

IMOKURI commented May 13, 2022
edited
Loading

秘密鍵の内容確認(2つの素数などが入っている)

openssl rsa -text < ca-key.pem

証明書の内容確認

openssl x509 -in server.crt -text

証明書の fingerprint 確認

openssl x509 -sha1 -fingerprint -noout -in server.crt

@IMOKURI
Copy link
Copy Markdown
Author

IMOKURI commented Jun 27, 2022

秘密鍵と証明書が紐づいているかの確認。同じ md5 が出力されればOK

openssl rsa -modulus -noout -in ca-key.pem  | openssl md5
openssl req -modulus -noout -in sodor-ca.csr | openssl md5
openssl x509 -modulus -noout -in sodor-ca.crt | openssl md5

@IMOKURI
Copy link
Copy Markdown
Author

IMOKURI commented Jul 10, 2024

kubernetes ユーザー作成

openssl genrsa -out user001.key 2048
openssl req -new -key user001.key -out user001.csr -subj "/CN=user001"
vi user001-csr.yaml

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: user001
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1Z6Q0NBVDhDQVFBd0VqRVFNQTRHQTFVRUF3d0hkWE5sY2pBd01UQ0NBU0l3RFFZSktvWklodmNOQVFFQgpCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLNHpzZmVxcUlTWStmR2J0ZzhjQVo5MHlaY3ZJWTAzcEx5NTFrVFNmVTF5CnFIMlFPbGF5SExuTFJ6UjRENmlmOFBlY0ZyanlNTjZFekdTdGxuRzZtcHJ4YWxFUExvMjM1RWpHTjBOOGdGeXoKenFkcHBEZ1VSMUQrWmlVR1paSFMwTlhjWnVNQW0rVjlKbHR3bUszUUdycVdoTGxqTHJMZHgwc2FhSVdLeUdFMQo1bVBWZzRiMjZYR3B2YVo2SnpwYU9NdDhYc2I0cXd0Q2lpbitvbkxlMUJXM1Y2UVB1Q210U252aEowemlBRGg2CjZvQTg3bmdYeFNEYzg3TnM0aFhKYWxEdEdOejhiYW1QbjFNbjRRY2RVMG9jaHpoWDNqSUlOa0drbVAxNk1veWcKeEl1UGd5RXVrcGR3Q0tWZG1DMWF0SkZYNGYzM1RIU2ZQbkMxWU94WDNRVUNBd0VBQWFBQU1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUJBUUNjZTRpNzZONUFheWw5K2xUMml3aGR1ZHU5LzFaVUtmaHA1dEhRaGI5TEZETGNvZW5HCjIzNlNCVWMzRG1GekVkT2tXcE5nNml5WHVKeDFJTDNWNno5cXh3amhaUElXNnVWQUdkc3htejREeXNtQnJEWUgKaFE5VERBeFl6MzhqUXROYnA0aldXT2Z1VXQwSG0zT3ZVRmp3YjZlKzFvdkxOcVY4c0Ewa1RrWUp3bFMxM1NIVAowRnh1NE9sOFpEQ3pneDV1YUxEZUNUN0Nad1BKKzM2RlgxNnNMSldMYU9iODBmMm1TN1M5c2k0SFk3SEhPNHpOClczSGJkcHBacSt4WlowSGg0eU8ydzZOZ0RlTUZ3c0VEM25NdmhUVjRRbmUzaFArL21TUS8vaFdIU094UVV0bXQKMytWRWZPaWFRVEtuTlhldnlQZnRrSExIRXNkcFUwZFpMbjVuCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
  signerName: kubernetes.io/kube-apiserver-client
  usages:
    - client auth
request="$(cat user001.csr | base64 | tr -d "\n")" yq -i '.spec.request = strenv(request)' user001-csr.yaml
kubectl apply -f user001-csr.yaml
kubectl get csr
kubectl certificate approve user001
kubectl get csr

k get csr user001 -o jsonpath='{ .status.certificate }' | base64 -d
k get csr user001 -o jsonpath='{ .status.certificate }' | base64 -d > /tmp/user001.crt

k config set-credentials user001 --client-key=user001.key --client-certificate=user001.crt --embed-certs=true
k config set-context user001 --cluster=microk8s-cluster --namespace=user001 --user=user001
k config view

microk8s config > user001-config.yaml
vi user001-config.yaml
# 必要なものだけ残す

cp user001-config.yaml ~/.kube/config
sudo chown user001:user001 ~/.kube/config
sudo chmod 600 ~/.kube/config

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment