-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add verify_subject_alt_name testing to integration tests #725
Changes from all commits
87ae74c
9057d67
c8c76c7
895d925
d1e626f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# What are the identities, certificates and keys | ||
There are 5 identities: | ||
- **CA**: Certificate Authority for **Client** and **Server**. It has the | ||
self-signed certificate *cacert.pem*. *cakey.pem* is its private key. | ||
- **Client**: It has the certificate *clientcert.pem*, signed by the **CA**. | ||
*clientkey.pem* is its private key. | ||
- **Server**: It has the certificate *servercert.pem*, which is signed by the | ||
**CA** using the config *servercert.cfg*. *serverkey.pem* is its private key. | ||
- **Upsteam CA**: Certificate Authority for **Upstream**. It has the self-signed | ||
certificate *upstreamcacert.pem*. *upstreamcakey.pem* is its private key. | ||
- **Upstream**: It has the certificate *upstreamcert.pem*, which is signed by | ||
the **Upstream CA** using the config *upstreamcert.cfg*. *upstreamkey.pem* is | ||
its private key. | ||
|
||
# How to update certificates | ||
**certs.sh** has the commands to generate all files. Running certs.sh directly | ||
will cause all files to be regenerated. So if you want to regenerate a | ||
particular file, please copy the corresponding commands from certs.sh and | ||
execute them in command line. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
[req] | ||
distinguished_name = req_distinguished_name | ||
req_extensions = v3_req | ||
|
||
[req_distinguished_name] | ||
countryName = US | ||
countryName_default = US | ||
stateOrProvinceName = CA | ||
stateOrProvinceName_default = CA | ||
localityName = San Francisco | ||
localityName_default = San Francisco | ||
organizationalUnitName = Lyft | ||
organizationalUnitName_default = Lyft | ||
commonName = Test Server | ||
commonName_max = 64 | ||
|
||
[v3_req] | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
subjectAltName = @alt_names | ||
|
||
[alt_names] | ||
URI.1 = istio:account_a.namespace_foo.cluster.local |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIICjTCCAfYCCQCGksmf8BshZDANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMC | ||
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x | ||
DTALBgNVBAoMBEx5ZnQxDTALBgNVBAsMBFRlc3QxEDAOBgNVBAMMB1Rlc3QgQ0Ex | ||
HDAaBgkqhkiG9w0BCQEWDXRlc3RAbHlmdC5jb20wHhcNMTYwMTA5MjAwNjA0WhcN | ||
MTgwMTA4MjAwNjA0WjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju | ||
aWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxDTALBgNV | ||
BAsMBFRlc3QxFDASBgNVBAMMC1Rlc3QgU2VydmVyMRwwGgYJKoZIhvcNAQkBFg10 | ||
ZXN0QGx5ZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqtS9bbVbo | ||
4ZpO1uSBCDortIibXKByL1fgl7s2uJc77+vzJnqC9uLFYygU1Z198X6jaAjc/vUk | ||
LFVXZhOU8607Zex8X+CdZBjQqsN90X2Ste1wqJ7G5SAGhptd/nOfb1IdGa6YtwPT | ||
lVitnMTfRgG4fh+3DA51UulCGTfJXCaC3wIDAQABMA0GCSqGSIb3DQEBCwUAA4GB | ||
AD/GeVdxA5uNOX1x8DSo1GrdhxEqDEWpmGms0jFoRStgO2PsWNhBoXo/3yPWmsam | ||
GovtzLF4WapdtSTdn7ku91rx0BplNGOs0uuipnEtRoC7Eo31xaay4LppWTwtVZBA | ||
LaRR1p0mlCtvqI9dz25Uhl1UlXdvq+lHLxkAFp49CLYf | ||
MIICmjCCAgOgAwIBAgIJALd7PpOmDaMoMA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is kind of embarrassing, but at this point I honestly have no clue what the process is for getting this file updated and checked in. Since you clearly know substantially more about TLS than I do, can you possible add a small README.md to this directory explaining how all of this stuff gets generated and the process for updating. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. |
||
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j | ||
aXNjbzENMAsGA1UECgwETHlmdDENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHVGVz | ||
dCBDQTEcMBoGCSqGSIb3DQEJARYNdGVzdEBseWZ0LmNvbTAeFw0xNzA0MDgwNTQ3 | ||
MTBaFw0xOTA0MDgwNTQ3MTBaMEExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEW | ||
MBQGA1UEBxMNU2FuIEZyYW5jaXNjbzENMAsGA1UECxMETHlmdDCBnzANBgkqhkiG | ||
9w0BAQEFAAOBjQAwgYkCgYEAqrUvW21W6OGaTtbkgQg6K7SIm1ygci9X4Je7NriX | ||
O+/r8yZ6gvbixWMoFNWdffF+o2gI3P71JCxVV2YTlPOtO2XsfF/gnWQY0KrDfdF9 | ||
krXtcKiexuUgBoabXf5zn29SHRmumLcD05VYrZzE30YBuH4ftwwOdVLpQhk3yVwm | ||
gt8CAwEAAaNSMFAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwNgYDVR0RBC8wLYYr | ||
aXN0aW86YWNjb3VudF9hLm5hbWVzcGFjZV9mb28uY2x1c3Rlci5sb2NhbDANBgkq | ||
hkiG9w0BAQsFAAOBgQBGUZT++ypIOByf9jOYPmoegG1k+nybIdjSHlqWXdO+T5GZ | ||
Ew5qEfwDH9GTSyxtlFeU32PueJuSwg/7OduL7n78cqFTMS2gHkwAG6B+LQlDo2ou | ||
+qWZM3HvLTIdVF8/9ez0JpCsAYBWy5MUXy5E1wKBLTuPnhhLllepdrt+V+E2Tw== | ||
-----END CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Can you put newline between "related file" and the other headers. Same below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure.