infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

step-ca: Re-deploy (again) with DCH CA R2 

Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.
etcd
Dustin 2024-04-05 13:03:34 -05:00
parent 5c34fdb1c6
commit 3ba83373f3
5 changed files with 39 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
dch-root-ca/dch-root-ca.crt
View File

@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4 oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
DaY+6wQ= ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
-----END CERTIFICATE----- -----END CERTIFICATE-----

11
step-ca/README.md
View File

@ -10,18 +10,19 @@ OpenID Connect, mTLS, and more.
## Offline Root CA ## Offline Root CA
The *DCH Root CA R3* private key is managed externally from Step CA. It is The *DCH Root CA R2* private key is managed externally from Step CA. It is
stored offline (on a flash drive in a fireproof safe). Only the CA certificate stored offline (on a flash drive in a fireproof safe). Only the CA certificate
is used by the online CA service, where it is provided to clients to include in is used by the online CA service, where it is provided to clients to include in
as a trust anchor in their respective certificate stores. as a trust anchor in their respective certificate stores.
*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used, *DCH Root CA R2* replaces *DCH Root CA R1*, which has not been used for some
and *DCH Root CA R1*, which has not been used for some time. time. *DCH Root CA R3* also exists, but it is based on an ED25519 signature,
which is not supported by Firefox.
## Online Intermediate CA ## Online Intermediate CA
Step CA manages the *DCH CA R3* intermediate certificate authority. The Step CA manages the *DCH CA R2* intermediate certificate authority. The
private key for this CA is stored in the `intermediate_ca.key` file, encrypted private key for this CA is stored in the `intermediate_ca.key` file, encrypted
with the password in `password`. This key pair is needed by the online CA to with the password in `password`. This key pair is needed by the online CA to
sign end-entity certificates. sign end-entity certificates.
@ -29,7 +30,7 @@ sign end-entity certificates.
### ACME Provisioner ### ACME Provisioner
Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol. Hosts can obtain certificates signed by *DCH CA R2* using the ACME protocol.
The CA will only sign certificates for names that map to addresses controlled The CA will only sign certificates for names that map to addresses controlled
by the requesting client. For most machines, that means they can only get a by the requesting client. For most machines, that means they can only get a
certificate for their hostname. Other names can be added using DNS CNAME certificate for their hostname. Other names can be added using DNS CNAME

24
step-ca/intermediate_ca.crt
View File

@ -1,15 +1,13 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICTzCCAgGgAwIBAgIUDNTFsSYYl8xsEcg9kTatxvOSkmUwBQYDK2VwMEAxCzAJ MIICCTCCAa+gAwIBAgIUZx82NjARN6f1jWUlq/mvaF7oscEwCgYIKoZIzj0EAwIw
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjk0M1oXDTI1MDIxNzIwMjk0M1owOzEL AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMxMDE2MDU0MTA4WhcNMjYxMDE2MDU0MTA4
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDESMBAGA1UEAwwJ WjAUMRIwEAYDVQQDEwlkY2gtY2EgUjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
RENIIENBIFIzMCowBQYDK2VwAyEA50stJ8iW6/f+uECPxAJwpSfQDRQg4/AgKJY2 AAQ1rK98igj6Y5lbeP8HS1zqQCtkcmz8uk1jp4VgznWT3Q8BanjA55UHQi/xx4xz
lpd3uNijggEQMIIBDDAdBgNVHQ4EFgQUtiqtFaZZ/c4IfWXV5SjJIOPbmoowHwYD BYu4QIkJhtqcR5a7YXSr7fQvo4GyMIGvMB0GA1UdDgQWBBQGy1GZZxrCjGDiIGdR
VR0jBBgwFoAUtmjEAcG9apstYyBr8MACUb2J2jkwEgYDVR0TAQH/BAgwBgEB/wIB YhTMZZqhkTAfBgNVHSMEGDAWgBTM+d8kb1koGmKRtJs4gN9zYa+6oTASBgNVHRMB
ADALBgNVHQ8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwG Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBhjBMBggrBgEFBQcBAQRAMD4wPAYIKwYB
CCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly9kdXN0aW4uaGF0Y2gu BQUHMAKGMGh0dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1yb290
bmFtZS9kY2gtY2EvZGNoLXJvb3QtY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0 LWNhLmNydDAKBggqhkjOPQQDAgNIADBFAiEAovkqUlWkbRXsoHrDv1AfHdox9gS2
dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1jYS5jcmwwBQYDK2Vw Fdq9wKfDk7H/aPoCIDs4CJBhdPh/a+HZZRQWxBTT3KbbdXAaiT+g/VyD+0qt
A0EAACaKAJAKejpFXQV+mgPdDXaylvakc4rCEs1pFhPXbbMMGflNOeiiy+c+aMwt
yfObaZ8/YiXxCSjL6/KzRSSjAQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----

19
step-ca/root_ca.crt
View File

@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4 oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
DaY+6wQ= ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
-----END CERTIFICATE----- -----END CERTIFICATE-----

4
step-ca/secrets.yaml
View File

@ -10,8 +10,8 @@ metadata:
app.kubernetes.io/part-of: step-ca app.kubernetes.io/part-of: step-ca
spec: spec:
encryptedData: encryptedData:
intermediate_ca.key: AgA4MOOCi8WvBSqyGw6T1wrK7zGgC7kvHYNpgZpZlBq3ZcW4l2d/huT7SbpIUQZN8OhLsgsZqK73VisFRsTG//KrMsJ+CCv6DSpaoEEL0LzUFWVldK27oZ3CDfAo6pZS50M8DSzcA7foxvw7++DSnytS9ken6qu2Azf3iFOFetES23XMT7IIFfcJz+qgBVGIOrxYULj19Y3EZD++kgRM22pCSrnoOQHJV3DOE6SjMZfg9Nhbg7Z5jrpsoM5w7QXd3g8jfsOS0Yv+95CL5SgTtJBAPqVi/2bK7nPuQxGFBy/qhwktzeeagOgFwe5McnEL0aB8K7GQEhOeIiHNSf/AAffronCdGapHQcthAA9CD3P4qXHogiY6x6JgqOXaZ3/BNF4gIlEJoJV36Z51BZUpZLakqOcxw2XNungITq4XMZqUybyqq/oHZEjcqqwSgeHtGJ7aaCAdV1AK4J8kNYXSs0+JcKU+1BzCDTB2YY1nT3uXz5g2d6eLlAe3S6pLDBdZGfyXv4e/nS9ouhdQm9qknNt2hqLAkm5u2g0C6MWYqgCKKdWQBg0JrLvN799zOj5FOGFOEa+gA2t6WwpVeiuo/6Xhn2WtkU710cXdblROM/DWoiI7YUxG4GsmzZOG/1TsbGTPoP1+evxD+VxCIOag6yxBCHnrpUVyCwdp7GLH/+72KyKClhJLb/ub/MKKVTlsWk0JhP3EhfvChO4tbeFMjeGt7afuKKghRt3ZXjAAZFW28qx5oLvirRoUSKOdEU+jE0RWFFeB0Qac9Hz9BFM5iAhdlcpGOOi5bGeMqR/nGlTRV9oUENeopiHBvVXfXr88yumVDE7FzXy4RyC4hypQFddS7kVR3MYoA9c6hWrCAAiuooOKa1JhdfhdlvlQij9PAJW921ClBBXcB2ykcivcrJd6GPAzCHOj6cQjUDeTwarKqZGf1PdtNnCsU1r1V0MOqyuhNjZZ4ZoGEGlq3r3TJY8Hh/+w//ZTpbvHpTUD2rhQjXuVyzqBpU2z5SoFt23U7sV/8+LizZMKfJl9fveJU/CbZ3bGC756ZhpHykbX7bgy9Q0iBg9ke1w+7lepsZVZKhlfnQ== intermediate_ca.key: AgBArqvWXQHJwubw/7jOBtErH4BNpq+B1nsoTuhsmmE7COhRROko9wwYcfLfeJHkul1uXmp6JNmAde2xs6uJlbHwTDIRlUld2tAo2O20PHaDNq8/poqkk7LNnvjbwC73tul+Gxiot8WEfFM4eP98wYHePrX6q0/LAzyH/6Js8YgBKzLt4sIRi5E49m0C2s9uy5u1e3DcHNZTIlkntYi8zNmk+QEBHkqkeqvdGZ+yqH5e78AasF4qPfKw7WoFm3PH2/tKRfDpBXfvdTxrRy9FzqmmhdGVmbaeQcJ+Yl8H6qNd1BiqpAPkIDwAC9/LfH4Sd/iM59TdeOKsZpvEJZOyWLm1KbJz13wPfnGs/QvArwtuA95UQfzPYGFx9qur/nz3nsBvTvqFyAU+QHGSOnjig5ZppIb+Yr9foWuSqDV0qcfXEdjLzyc19lzS1e+itRLR1414Maaru4poPcg7xUQCs88oGvYAUi27p8xRXynGXtZwTK/GSWXFGxkzw1DtVcbGa/P23sCSnMLOsrajvvJYD2aCHZ6fKSUT+tddCoZhohM112uA6wNWBUx00uFgWUGZloe6MPVHnCStAwBxClXi+pREnSEk091nuSYzsTZarweUOJs8tLO2g2bEQ2BQCsCMbkNLjc6SSJa+Lu2Yb7uCUdwbLAZDf289f8SGmzsf/C7/Xbcmu0smrf5bb6ZUnacrWtCgrnPRJNMSXCY51awo3cj9c3X/v6pQVbjj+fTxDUIIaI9OcfvPJksapgsR8Olqffi8SlN3fvETOmVGVNAK11xy7qMmpz9Fck3z93NXUDNHMxteVic+8aHZgwv4wh+ixMldtCBiGWciavKWd7APSQjyvDwT4tTIi7QWa78+CBz/0Z3eDwDUHt5ryXlWeYRufrOTsGQJ9cfQgr8STgC00oghUaAtZ8y3cIOdVrwDCe1Yi9Dp2KlxzLLa+zYdagbmb8ygOZg65yW0Oy3q+sD1MSkrUQi/RDPjRB8kF+4t2MIZ00jQ7geIkhnh3TvislEqHbV5ZjKBZ2Gw4An+q4CB4EtM0DYKGGw7xvPyCqvs9E7WzSxyGL8+dNkEw/jASoHwJcufaXDXFgENuLn7OyCpsMMBZYti+V9SIOTNOQ==
password: AgAspVB0c402ymidL6YoRTRtmPekLZHlQXtZecftoakjm75OArueAnH+1dquknV4MJ7g8XUVLkguh4lKkNPxjCs2Jen5UM+aSxoqii/2KdTAIb1WINebDOhyj3lY8aZw9+qeDfc5590+x+8jASwm7rVf6QfGygdjwQ6D6xeNUC7xwU3bC8xH9mHq2wSKbI6iGAik4Di7Ma4bvm/nTNfB+Ogb7rdLoJsvDDFbZ1io3wWNJGsWleged2HRPPwkmGq7pkxE2xUpjgbqeWX0y8RbNLC6DwsE3mUce9hanfLvxJVCDMnbUKfUYUxULBMFpheT6lmyz1YgFu+NiuSFvX3An4PNfgeQ2Hl931qfoG9h2kX4wyYcJt0ELZ2tdcrSS7zWgNNx450LuWmGQPvhApLhH2U7CUsSrjbWS/NZKMHuZryp0sEtykoEOOtNezU5slSY/0aB9XWFDu78RaYJOZy1VqGy+ulWkhCFv+3D2MEF6JJXmI4RNTdWmUQx1hr85uTS9Xi6stovkLMHxrEJfDI581yZv7Z9DrSssp5U4Ydf3gjKN7UTgFXrSz25R7SJ4lYso7yHhka9L2YMuIuPS7iPg1F+RPjiG6KAxP3roqRfeMXP3LoDn/21pYsO1QNrq2fBLXaO8Wq0hRXaICZzGveWdeM8sIbjBNqxjb50YtmkF/bDI8BY/sogPWitzDDyNU3bVS5Qyl0AaTHasGzJ9Es26Q4C0GHLd3iVQq0GTSsmtUbZGg== password: AgAnwKicJ7yut9B3J22XYdqzGzHxh3kXCAozIZu9v1IxSTWb1txkF1aJM64ooog/IpUtoF88v6XzGTDDsAsbXtQbu7Y2s77zQXIOIj+Vri2kZAQyRdCDa70heUdPxo9haIizZvtJHH+dRxVqQ+YSXpPlbLag46RMvMHlUZjbPLxwTrOWVwHW2uVJJke7RiB99z1xOIV8nlD0NjdH9Ig1pnUikm4+GfiZBw/PjieYbjk5U8IABBfx1jjJPLFk2TlzsCyz8JyGr+Gf8DvCxRS43Wwtbn0ks2aFn/eZBMHK+XatjImtYSNUa4eIbjHD1RdQ03yZy83D8LdpYMl+z3PLYLrdIDkv7VBT875KjHoYGIMdjSkuNHuooOcdyJrN7bMRpODfzTXREoiY+4p1wHbLlOXOubxY/ULV6FAIMe9RSWVhmWMxV1INYwZuoNUr2pa29rBrIinF8Hc5Kcr2lhEZ9kpnrkC4MFpMjdW7QsOhpFnW2hIE2xWXc/vZgQ6q+8jJrMQwwrGcn+CEaFTSoVsXYaBwUnsOzMCNyHaNfyX03eQE9wNlXz0dppGoHJpb5ny+fviMhFS6kEXiieElRaTL8erGr0Ivtn+St5RaqD8mDpP36YrQ8YWpTMoyLSllRG4X1hiCorcjevZq2pJuP5+hs0HhtVW9vZS3iLGzHzjqyMJDvlml6Xd+AyvoylC38uncivF8NtHhIoeAgzlOZjYRxodPkLxAOfoVTlCzMexH+fsShwM=
template: template:
metadata: metadata:
name: step-ca name: step-ca