I'm looking at "plugging in an existing CA" into my Istio environment as documented here:
https://istio.io/pt-br/docs/tasks/security/citadel-config/plugin-ca-cert/
I can see that the following command allows you to store a key, cert & chain to Kubernetes secrets, however it does not appear to provide an option for creating a CSR. Obviously, this would also involve first generating a private key.
Is this correct, or is there an option to do this?
$ kubectl create secret generic cacerts -n istio-system --from-file=samples/certs/ca-cert.pem \
--from-file=samples/certs/ca-key.pem --from-file=samples/certs/root-cert.pem \
--from-file=samples/certs/cert-chain.pem
The command You listed allows You to create a secret object in kubernetes for the CA certificate, key, chain etc. Which can be consumed by deployments and services for use. So assumption in documentation is that You already have a certificate ready for use.
I suggest following entire istio SDS secure gateway configuration guide.
To generate a private key and CSR using OpenSSL follow istio documentation guide:
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl
Create a root certificate and private key to sign the certificates for your services:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
Create a certificate and a private key for httpbin.example.com:
$ openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt
Additional information from istio documentation:
https://istio.io/docs/concepts/security/#pki
Hope it helps.
Related
I am new to AWS, and am trying to do the below steps:
Used below commands to generate a .csr and .key files:
openssl genrsa -out test.abcd.com.key 2048
openssl req -new -key test.abcd.com.key -out test.abcd.com.csr
Country Name: GB
State: London
Locality Name: London
Organization Name: abcd
Organization Unit: TSO
Common Name (eg, your name or your server's hostname) []:test.abcd.com
It created two file: test.abcd.com.csr test.abcd.com.key
I have sent the test.abcd.com.csr to client to get it signed and received the .pem files one is certificate body and the other is chain. I have used these two .pem files from client alongside the .key file that I had in step 1 to create a custom domain test.abcd.com. I have updated API Mappings for this custom domain and the APIs are accessible now using this domain name.
I used the public SSL .pem from step 2 and .key from step 1 alongside below commands to create client side .csr, .key and .pem files.
openssl genrsa -out my_client.key 2048
openssl req -new -key my_client.key -out my_client.csr
openssl x509 -req -in my_client.csr -CA test.abcd.com.pem -CAkey test.abcd.com.key -set_serial 01 -out my_client.pem -days 3650 -sha256
output of ls command:
test.abcd.com.key test.abcd.com.pem intermediate.pem my_client.csr my_client.key my_client.pem
I created truststore.pem using below command:
cat intermediate.pem test.abcd.com.pem > truststore.pem
and I have uploaded it to s3 bucket
I configured mutual TLS of the domain test.abcd.com in API Gateway using the above truststore.pem s3 URI and the imported Ownership verification certificate using pem and key files of test.abcd.com generated in step 1 and 2
But while adding the Ownership verification certificate, I get below error:
Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate.
If you clearly observe, I used public SSL pem and .key(from step 1) to provide the certificate and this error also states the same. Am I missing on anything here?
Thanks in advance!
I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:
Use Case: client will create public/private keys and provide me the public key. I'm suppose to Encrypt(RSA) the message with public Key and send the message to Client. client will decrypt the message with private Key
Key Generation: Client was generated the public/private keys by using openssl. commands given below.
openssl genrsa -des3 -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Challenge: I'm suppose to save the public key somewhere. since we are already utilizing the Google KMS, is there a way I can maintain only the public key in Google KMS ?
I have gone through https://cloud.google.com/kms/docs/importing-a-key#create_importjob but
below command is failing with gcloud.kms.keys.versions.import) INVALID_ARGUMENT: Wrapped key is too short.
Import Command Used:
gcloud kms keys versions import \
--import-job {job_name} \
--location {location} \
--keyring {keyring} \
--key {key_name} \
--algorithm "rsa-decrypt-oaep-2048-sha256"\
--rsa-aes-wrapped-key-file public.pem
also I'm not able to convert public key to PCKS#8 DER format by executing below command. getting /crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER \
-in /path/to/publicKey.pem \
-out /path/to/publicKey_formtted.pem
Cloud KMS is designed around securing private or secret keys. In most cryptographic protocols, public keys are not confidential, so you can just store it as metadata for your system and do the encryption locally in your application.
Thanks for using GCP and Cloud KMS.
Am trying to use AWS-CLI to retrieve aws elasticbeanstalk details, but am getting the following error.
Error message:
C:\abdul>aws elasticbeanstalk describe-environments --environment-name myenvname
SSL validation failed for https://elasticbeanstalk.us-east-1.amazonaws.com/ [SSL
: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate
in certificate chain (_ssl.c:1056)
Note:
I can work without any issues when I try to retrieve my EC2 details,
C:\abdul>aws ec2 describe-instances --instance-ids 'i-xxxxxxxxxxxxxx'
Above command works without any issues, I get the above error only when I try "elasticbeanstalk" commands.
Note:
I have all the necessary certificates required in place.
Thanks in advance.
I found my way to this post while Googling. In my case, the error message I received was:
SSL validation failed for https://ec2.us-west-2.amazonaws.com/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1091)
I found this blog which told me to add an Environment Variable called AWS_CA_BUNDLE whose value was a path pointing to the CA Cert file (which I had saved on my local machine after requesting it from our corporate network team). Once I added that environment variable, I was able to run my AWS CLI commands successfully!
I had the same issue. This is how I resolved it.
Run below command first
$export REQUESTS_CA_BUNDLE=/path/to/company/certificate.crt
And then run AWS cli command
aws elasticbeanstalk describe-environments --environment-name myenvname
Steps to get this working in macOS/Linux
Download the Corporate Self-Signed Certificates using OpenSSL
openssl s_client -showcerts -verify 5 -servername ec2.us-west-2.amazonaws.com -connect ec2.us-west-2.amazonaws.com:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done
Create a bundle.pem by concatenating all the files fetched from the first command.
cat ec2_us-west-2_amazonaws_com.pem company_intermediate.pem company_root.pem >bundle.pem
Make it available in AWS_CA_BUNDLE environment variable.
export AWS_CA_BUNDLE=/Users/velayutham/work/corp-cert/bundle.pem
aws ec2 describe-instances --region us-west-2 ==> This should work fine now.
I cannot add my Comodo SSL certificate to aws cloudfront. I get the error:
I have received the following files from them:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAOrganizationValidationSecureServerCA.crt
STAR_myapp_com.crt
I also have the private key.
Following this blog: https://guillaumemaka.com/2015/05/06/install-your-comodo-certificates-to-amazon-aws.html
openssl x509 -in ./AddTrustExternalCARoot.crt -outform pem -out ./pem/AddTrustExternalCARoot.pem
openssl x509 -in ./COMODORSAAddTrustCA.crt -outform pem -out ./pem/COMODORSAAddTrustCA.pem
openssl x509 -in ./COMODORSAOrganizationValidationSecureServerCA.crt -outform pem -out ./pem/COMODORSAOrganizationValidationSecureServerCA.pem
openssl x509 -in ./cdn_guillaumemaka_com.crt -outform pem -out ./pem/cdn_guillaumemaka_com.pem
openssl rsa -in ./private.key -outform PEM -out private.key.pem
Now, I created the certificate chain using the commands:
$ cat ./pem/COMODORSADomainValidationSecureServerCA.pem > ./pem/CAChain.pem
$ cat ./pem/COMODORSAAddTrustCA.pem >> ./pem/CAChain.pem
$ cat ./pem/AddTrustExternalCARoot.pem >> ./pem/CAChain.pem
Finally, I uploaded the certificate using:
aws iam upload-server-certificate --server-certificate-name CDNServerCertificate --certificate-body file://cdn_guillaumemaka_com.pem --private-key file://private.key.pem --certificate-chain file://CAChain.pem --path /cloudfront/production/
When I try to add this to my cloudfront distribution, I get this error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 90ee29ae-068e-11e8-xxxx-62197a5115b7)
How do I create a valid certificate bundle?