[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Requirements for Router Re-encrypt destination certificates?



The only differences I see are in key usage restrictions

The CA that is working in the second example has no key usage restrictions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C4:23:88:A9:1D:CB:82:24:53:E4:61:32:46:15:E0:93:CE:3F:C2:DA
            X509v3 Authority Key Identifier:
                keyid:C4:23:88:A9:1D:CB:82:24:53:E4:61:32:46:15:E0:93:CE:3F:C2:DA
            X509v3 Basic Constraints: critical
                CA:TRUE

The self-signed+CA that is not working in the first example has key restrictions that do not include "Certificate Sign", and extended key usage restrictions of web server auth

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication


You might try adding KeyUsageCertSign to the key usages and ExtKeyUsageAny to the extended key usages to see if that makes the router happier with your all-in-one cert.


On Sat, Jun 2, 2018 at 3:13 PM, Marc Boorshtein <mboorshtein gmail com> wrote:
Something seems odd to be about setting up a route (origin 3.9), i can create a route with re-encrypt if the cert is signed by a self signed CA, but the route doesn't work if the destination certificate is self signed and marked as a CA.  For example this destination certificate does NOT work with the router:

-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIGAWO2zOVIMA0GCSqGSIb3DQEBCwUAMG0xDDAKBgNVBAYT
A2RldjEMMAoGA1UECBMDZGV2MQwwCgYDVQQHEwNkZXYxDDAKBgNVBAoTA2RldjEM
MAoGA1UECxMDZGV2MSUwIwYDVQQDExx1bmlzb24tc2NhbGVqcy1yaC50cmVtb2xv
LmlvMB4XDTE4MDUzMTAwMDAwMFoXDTI4MDUyODAwMDAwMFowbTEMMAoGA1UEBhMD
ZGV2MQwwCgYDVQQIEwNkZXYxDDAKBgNVBAcTA2RldjEMMAoGA1UEChMDZGV2MQww
CgYDVQQLEwNkZXYxJTAjBgNVBAMTHHVuaXNvbi1zY2FsZWpzLXJoLnRyZW1vbG8u
aW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSaec22QonMOU2a/0y
QwOduMlCwQEPMu8E2b1sNAiL5K22i+3i7ozE+/r4AyMAKjvc2TRbObbMrHDnJBgV
WigkaTeSLWQdRol4WlgeFtbYH+S/vWxSsm2dAPpt8wZpuENa6ptK9khPa8n0IhLG
O31UPTEyEIXg/cg20x1+cRcdMCVWSD7F1m3Ia4wvUuH7g21fWCy1ljkbPPMDqI+b
DnrLzsJjgmE8rKbw9dYm7irc3Rgd1zW4Rv/2Wg1JeDWJ3CrWCZPouC2qh1PWgUU2
sMs72cL9PPwHUnKHyBT7RwDXjEI0RjVPQ3jwdXnhaHel4npXP+ByYfaa0jGw4DxQ
vHSTAgMBAAGjOzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMBYG
A1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQANboUIllvD
FRoBAOivn2N9BqRDS4c6JlPGZcApv0kr07+gjXziREh1+vUBUjBpCkX+oGWj2ZBe
v714ewxI1Hyr5YG5i8aJEO32GANP+2yesSMLyPGIIKacBYhgctJiMZH+QtZBahqu
jg87XXlIYwOGMAaelRjvJuqRFfkh5xYzCvHYxP26yOT9CqvEv5EsvCss13ZylIsb
U1PX2Xu3FPu+LY2ayS+ZVPRL6J1GkIGO2LhWF00elVk1capS5c6i9Z/TbfjjN8SJ
mYLEuOzeqjcbnxOZU6LzTECfU9SrFXTF3sh/iRqBWrJ69H1IJFpdLsT38a6N4+dZ
yAIcbTIyOcaN
-----END CERTIFICATE-----

however, this cert does (and its corresponding CA):
-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIJANka1xITATPtMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMjM5WhcNMjgwNTMwMTkwMjM5WjBtMQww
CgYDVQQGEwNkZXYxDDAKBgNVBAgTA2RldjEMMAoGA1UEBxMDZGV2MQwwCgYDVQQK
EwNkZXYxDDAKBgNVBAsTA2RldjElMCMGA1UEAxMcdW5pc29uLXNjYWxlanMtcmgu
dHJlbW9sby5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRahgUI
umjSD0Yz6Fw/k0DFDDnmlekYLkFGgYz+Z2yxWUVOJo9VLWx0RbkUknul1NB//cW4
lN8Wc7C9gfJJ7zI/v3C2L+N/3f2yp8xshmQzQB+xnjkZjuqXSgMIQWEUHnfaiM8C
1AmeQ07qFbssPnVzlBr7ukQMwU7StI64PDQ77HAT406lf7aVCvikMqKUf40LOaz3
GtWP6bnGPhvMgYytbCysUUP5osLmQeEokxXul77fTeEfBtKX0ITpnZi+daUkFwXi
5NvckN2dZA7wZ+Vat/tZzfTYycHlUF3eWW/9T8cjV0L0V2uT3hXBuXwNw1CXeLcZ
Gf2/8HL/yoXP6VUCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJ
KoZIhvcNAQELBQADggEBAGu1HvIcINGpyCBXhqgmlafSqh7Huodx4tyHgeu0NTmD
kf8iU7PGiWjk5L9SUBWJO+rvycU5GQ/+yH/tp9xir0uBh1iXOOoth0vPnL5HQcZ4
VXPnmFylUYa3I5123OdCHuzVHlkD6bdiy6E/mT25XcwWpZL9wgjtE1RbDkLR7Gq/
KVUN2KMnX9Eiewm47wXTnDw62eVrzhrApIuqLsMbabOQ2uUeoelE9c0agR6RLTng
50rCfj3MpjpfSZDR/Y9XWKizVMR0sqj0rYw+Mg6XhOzK/c20km6O+Km69Zh1BsdX
LyXGd0Lf/1nSf3jG+h29NUCq3yp7U9iyVyL5Q4nNE6U=
-----END CERTIFICATE-----
ca:
-----BEGIN CERTIFICATE-----
MIIC+jCCAeKgAwIBAgIJAIiduSOLKh22MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMDIyWhcNMjgwNTMwMTkwMDIyWjASMRAw
DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
48J8oKeAztHrL2Dk9o24TxrgX21uM6GcZKhdDPW7gMn9uYBYMsoaI7eZyYLxhxiV
qG3WP1vgqpB00EbRdojoemdJ2os5rYz512BOlzNVjsgVE2Mgz/8cfV9pHWFp0dF9
C36ZjhUy7yvUyMf8+ekEFdE6fOOu+JImhfKDEHYzohXNITeTtgKpUh6Rw0ZNNRgq
6lVGYt8P6P0xbMHCYICKoJKmlViSVlqkB0R7L+TFOpuNajyibqszlizJGZXotym7
dLz9kIjPkksCl0jAERasacoFonJ8OtkR8G8rdlE+5hg7WAcy1C556mYsJ64ptLqW
yoiOEQyjMkWXKMsaPX4rpwIDAQABo1MwUTAdBgNVHQ4EFgQUxCOIqR3LgiRT5GEy
RhXgk84/wtowHwYDVR0jBBgwFoAUxCOIqR3LgiRT5GEyRhXgk84/wtowDwYDVR0T
AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFfcxlzBIDQFwwIF92fXjIaQ1
jqpQRHUwKd2w7/EXyp3f9xQ1+IqlMkQu/Ip0pxZPB2WRWP1tL7o0EetOm6X29h12
be5yVovmx8DlaC0jTjwTDAOsSDHb4GlJv4pLjyDNmk/mtj3mW6UCYH4msWcIidYj
9d/neZnU4RftrtJzYZgcmpCK7xhdXqevoLo1X2b0gUlR/80DsEt37gBFAsp/EP/d
4yygBujWd3Q4d8nNzNVxkB7nXf2Wh0BrWadEKEsN8sukBNHZQ22KeI4YaBI92Mo3
n24wdO7Q3bOmaEHPpVXnZJZKmYy8JNji22WmUi/Z3KD+0880ea+QGh+VC/gZuw==
-----END CERTIFICATE-----

Now the first cert is marked as a CA, so it SHOULD work (and the same process generates certs that the golang clients in openshift and k8s both work with OK).  Is there a requirement I'm missing?

Thanks
Marc

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]