-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identical CN after rotation and root CA in tls.crt #188
Comments
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
After experiencing a rotation of the service CA certificate in our OpenShift 4.8 cluster we had some issue with PKCS12 JAVA keystores and truststore. These issues are linked to multiple certificates using the same common name.
You could help avoid these issues with two changes to the operator:
Point 2 would help because, after rotation, a cross-signed root is added as an intermediate and this certificate also shares it's name with the new root certificate (as it should) but they both are included in the tls.crt secret. By removing the root and only including the intermediate (and leaf certificate) in tls.crt there would be no duplicate common names.
The text was updated successfully, but these errors were encountered: