identical CN after rotation and root CA in tls.crt #188
Comments
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
After experiencing a rotation of the service CA certificate in our OpenShift 4.8 cluster we had some issue with PKCS12 JAVA keystores and truststore. These issues are linked to multiple certificates using the same common name.
You could help avoid these issues with two changes to the operator:
Point 2 would help because, after rotation, a cross-signed root is added as an intermediate and this certificate also shares it's name with the new root certificate (as it should) but they both are included in the tls.crt secret. By removing the root and only including the intermediate (and leaf certificate) in tls.crt there would be no duplicate common names.
The text was updated successfully, but these errors were encountered: