[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Requirements for Router Re-encrypt destination certificates?



Something seems odd to be about setting up a route (origin 3.9), i can create a route with re-encrypt if the cert is signed by a self signed CA, but the route doesn't work if the destination certificate is self signed and marked as a CA.  For example this destination certificate does NOT work with the router:

-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIGAWO2zOVIMA0GCSqGSIb3DQEBCwUAMG0xDDAKBgNVBAYT
A2RldjEMMAoGA1UECBMDZGV2MQwwCgYDVQQHEwNkZXYxDDAKBgNVBAoTA2RldjEM
MAoGA1UECxMDZGV2MSUwIwYDVQQDExx1bmlzb24tc2NhbGVqcy1yaC50cmVtb2xv
LmlvMB4XDTE4MDUzMTAwMDAwMFoXDTI4MDUyODAwMDAwMFowbTEMMAoGA1UEBhMD
ZGV2MQwwCgYDVQQIEwNkZXYxDDAKBgNVBAcTA2RldjEMMAoGA1UEChMDZGV2MQww
CgYDVQQLEwNkZXYxJTAjBgNVBAMTHHVuaXNvbi1zY2FsZWpzLXJoLnRyZW1vbG8u
aW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSaec22QonMOU2a/0y
QwOduMlCwQEPMu8E2b1sNAiL5K22i+3i7ozE+/r4AyMAKjvc2TRbObbMrHDnJBgV
WigkaTeSLWQdRol4WlgeFtbYH+S/vWxSsm2dAPpt8wZpuENa6ptK9khPa8n0IhLG
O31UPTEyEIXg/cg20x1+cRcdMCVWSD7F1m3Ia4wvUuH7g21fWCy1ljkbPPMDqI+b
DnrLzsJjgmE8rKbw9dYm7irc3Rgd1zW4Rv/2Wg1JeDWJ3CrWCZPouC2qh1PWgUU2
sMs72cL9PPwHUnKHyBT7RwDXjEI0RjVPQ3jwdXnhaHel4npXP+ByYfaa0jGw4DxQ
vHSTAgMBAAGjOzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMBYG
A1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQANboUIllvD
FRoBAOivn2N9BqRDS4c6JlPGZcApv0kr07+gjXziREh1+vUBUjBpCkX+oGWj2ZBe
v714ewxI1Hyr5YG5i8aJEO32GANP+2yesSMLyPGIIKacBYhgctJiMZH+QtZBahqu
jg87XXlIYwOGMAaelRjvJuqRFfkh5xYzCvHYxP26yOT9CqvEv5EsvCss13ZylIsb
U1PX2Xu3FPu+LY2ayS+ZVPRL6J1GkIGO2LhWF00elVk1capS5c6i9Z/TbfjjN8SJ
mYLEuOzeqjcbnxOZU6LzTECfU9SrFXTF3sh/iRqBWrJ69H1IJFpdLsT38a6N4+dZ
yAIcbTIyOcaN
-----END CERTIFICATE-----

however, this cert does (and its corresponding CA):
-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIJANka1xITATPtMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMjM5WhcNMjgwNTMwMTkwMjM5WjBtMQww
CgYDVQQGEwNkZXYxDDAKBgNVBAgTA2RldjEMMAoGA1UEBxMDZGV2MQwwCgYDVQQK
EwNkZXYxDDAKBgNVBAsTA2RldjElMCMGA1UEAxMcdW5pc29uLXNjYWxlanMtcmgu
dHJlbW9sby5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRahgUI
umjSD0Yz6Fw/k0DFDDnmlekYLkFGgYz+Z2yxWUVOJo9VLWx0RbkUknul1NB//cW4
lN8Wc7C9gfJJ7zI/v3C2L+N/3f2yp8xshmQzQB+xnjkZjuqXSgMIQWEUHnfaiM8C
1AmeQ07qFbssPnVzlBr7ukQMwU7StI64PDQ77HAT406lf7aVCvikMqKUf40LOaz3
GtWP6bnGPhvMgYytbCysUUP5osLmQeEokxXul77fTeEfBtKX0ITpnZi+daUkFwXi
5NvckN2dZA7wZ+Vat/tZzfTYycHlUF3eWW/9T8cjV0L0V2uT3hXBuXwNw1CXeLcZ
Gf2/8HL/yoXP6VUCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJ
KoZIhvcNAQELBQADggEBAGu1HvIcINGpyCBXhqgmlafSqh7Huodx4tyHgeu0NTmD
kf8iU7PGiWjk5L9SUBWJO+rvycU5GQ/+yH/tp9xir0uBh1iXOOoth0vPnL5HQcZ4
VXPnmFylUYa3I5123OdCHuzVHlkD6bdiy6E/mT25XcwWpZL9wgjtE1RbDkLR7Gq/
KVUN2KMnX9Eiewm47wXTnDw62eVrzhrApIuqLsMbabOQ2uUeoelE9c0agR6RLTng
50rCfj3MpjpfSZDR/Y9XWKizVMR0sqj0rYw+Mg6XhOzK/c20km6O+Km69Zh1BsdX
LyXGd0Lf/1nSf3jG+h29NUCq3yp7U9iyVyL5Q4nNE6U=
-----END CERTIFICATE-----
ca:
-----BEGIN CERTIFICATE-----
MIIC+jCCAeKgAwIBAgIJAIiduSOLKh22MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMDIyWhcNMjgwNTMwMTkwMDIyWjASMRAw
DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
48J8oKeAztHrL2Dk9o24TxrgX21uM6GcZKhdDPW7gMn9uYBYMsoaI7eZyYLxhxiV
qG3WP1vgqpB00EbRdojoemdJ2os5rYz512BOlzNVjsgVE2Mgz/8cfV9pHWFp0dF9
C36ZjhUy7yvUyMf8+ekEFdE6fOOu+JImhfKDEHYzohXNITeTtgKpUh6Rw0ZNNRgq
6lVGYt8P6P0xbMHCYICKoJKmlViSVlqkB0R7L+TFOpuNajyibqszlizJGZXotym7
dLz9kIjPkksCl0jAERasacoFonJ8OtkR8G8rdlE+5hg7WAcy1C556mYsJ64ptLqW
yoiOEQyjMkWXKMsaPX4rpwIDAQABo1MwUTAdBgNVHQ4EFgQUxCOIqR3LgiRT5GEy
RhXgk84/wtowHwYDVR0jBBgwFoAUxCOIqR3LgiRT5GEyRhXgk84/wtowDwYDVR0T
AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFfcxlzBIDQFwwIF92fXjIaQ1
jqpQRHUwKd2w7/EXyp3f9xQ1+IqlMkQu/Ip0pxZPB2WRWP1tL7o0EetOm6X29h12
be5yVovmx8DlaC0jTjwTDAOsSDHb4GlJv4pLjyDNmk/mtj3mW6UCYH4msWcIidYj
9d/neZnU4RftrtJzYZgcmpCK7xhdXqevoLo1X2b0gUlR/80DsEt37gBFAsp/EP/d
4yygBujWd3Q4d8nNzNVxkB7nXf2Wh0BrWadEKEsN8sukBNHZQ22KeI4YaBI92Mo3
n24wdO7Q3bOmaEHPpVXnZJZKmYy8JNji22WmUi/Z3KD+0880ea+QGh+VC/gZuw==
-----END CERTIFICATE-----

Now the first cert is marked as a CA, so it SHOULD work (and the same process generates certs that the golang clients in openshift and k8s both work with OK).  Is there a requirement I'm missing?

Thanks
Marc

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]