Need to create certificates signed by a generated CA #844
Comments
MikaelSmith
added a commit
to MikaelSmith/kots
that referenced
this issue
Jul 24, 2020
Adds `TLSCACert`, `TLSCertFromCA`, and `TLSKeyFromCA` to generate a named CA cert/key pair and access the cert, as well as generate cert/key pairs from that CA as needed (based on the combination of CA name, cert name, and common name). Useful when you need a separate CA certificate, such as working around openssl/openssl#1418. Fixes replicatedhq#844.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is primarily a requirement to work around openssl/openssl#1418. All current OpenSSL releases won't verify certificates when provided a self-signed certificate. It will only accept a self-signed certificate if the verifying certificate includes the KeyCertSign bit in KeyUsage. The simplest way to work around this is first generate a CA cert/key pair, then use that to generate a certificate. The application that needs to trust the generated certificate can verify against the generated CA certificate.
This can be approximately accomplished with
and then using split and indexing to access individual entries. However using this in a Config reliably is again difficult because you either regenerate it every time the config is evaluated (producing a different certificate), or generate it once and never change it (so the certs can't depend on other config inputs).
I'd like to have an equivalent of TLSCert/TLSKey that caches the generated certs and can access them again by name. This provides sufficient longevity to make them useful as an easy onboard tool.
The text was updated successfully, but these errors were encountered: