I am using Minikube/Kubernetes and want to add a new user. Therefore I need to sign the certificate request for a this new user. Where is the root certificate of Minikube located?
You can find your Minikube CA certificate(s) in your ~/.minikube directory.
Related
I have an ES Cluster(ES version 7.4.2) that has been running for 3 years.
when I run the following query.
GET _ssl/certificates
I'm getting the output.
"expiry" : "2022-11-20T07:27:29.000Z"
in /usr/share/elasticsearch
For the new 'temescls01-ca.p12' certificate
I run './bin/elasticsearch-certutil cert --ca /etc/elasticsearch/certs/temescls01-ca.p12' and when I enter the 'CA CERT password' it generates a new temescl01-ca.p12 certificate.
For the new 'temescls01-certificates.p12' certificate
I run './bin/elasticsearch-certutil cert /etc/elasticsearch/certs/temescls01-certificates.p12' and enter the 'keystore password'.
I'm using the old certificates' passwords for both new certificates.
I was able to create all 2 certificates. But when I stop the elasticsearch service and replace the old certificates with new certificates by following the document here, the node cannot join the cluster. When I replace the old certificate, the node joins the cluster without any problems.
An example from elasticsearch.yml
elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.keystore.password: XXXXXXXXX
xpack.security.transport.ssl.truestore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.truestore.password: XXXXXXXXX
Is there something i did wrong?
It’s not possible to extend the expiry date of a certificate. But you can create a new one. If you are using PKCS #12 format of SSL/TLS (p12) certificate you can use this article to create a new certificate.
https://medium.com/p/99820ff87615
Our website runs in an EKS cluster with a load balancer. The LB is created with the yaml config in EKS. Our wildcard cert is expiring at the end of the month. We are consolidating our certs to DigiCert so I just requested a new cert from them, previous issuer was geotrust. I placed the new cert files so docker build would pick them up and place them in the proper place. (the container is built from ubuntu/apache2:latest) I applied the new config and when you load the site the browser does not like the cert.
So to test the cert I created a new dev site, just copied the project files to a new directory. I built the image and deployed to a new namespace and pointed dns (dev) to the new LB. This time the browser likes the cert. So I thought I would just point the A record to the LB that was created for the dev site. The browsers don't like the cert when I do that. I'm confused.
My thoughts are this has to do with the LB and the new issuer. I was thinking of removing the deployment/LB and then re-deploy to build a new LB. But I worried about recovery if this fails.
When we setup a kubernetes master using kubeadm init . At the end of the procedure we have to copy the /etc/kubernetes/admin.conf to $home/.kube/config .
When I opened the file , I found the below details .
certificate authority data
client certificate data
client key data
I am aware the file is used for authentication when we try to access cluster using kubectl .
What I am trying to understand is from where these details are generated ? .
You have two options
- Use the automatically generated certificates if you have installed k8s with kubeadm
- Create your own certificates.
Once you have the certificates, you can follow these steps to manually configure them
https://kubernetes.io/docs/setup/certificates/#configure-certificates-manually
To create your own CA certificates, there are many google links and here is one for your reference.
http://pages.cs.wisc.edu/~zmiller/ca-howto/
If you are new to this, I would suggest you start with "A Single-level CA"
I have made CA Root certificate with "New-SelfSignedCertificateEx".
My problem is how to create domain/server/intermediate certificate which is slave to root?
Can you help me?
I have made CA Root Authority certificate. I use power shell instead makecert.exe command. I added into my trusted zone.
Now I want to create server CN=domain certificate which is extend CA authority. I need to sign and deploy on my IIS. How to do that with ps1 language?
|-----"My ROOT CA"
|
|--------"My Slave" (DNS CN=domain.local)
I thing I need to set "Issued to" and "Issued by".
"My ROOT CA"
Issued to - My ROOT CA
Issued by - My ROOT CA
"My Slave"
Issued to - My ROOT CA
Issued by - domain.local
We have a root certificate authority made with OpenSSL. Its file-based, runs on RHEL, uses "serial" and "index.txt" etc.
Now in a lab environment we have added an intermediate standalone certificate authority using Active Directory Certificate Services, standalone (i.e. not an AD or domain member), running on Windows Server 2012 (all latest updates applied). We signed the intermediate CA with our root and ADCS is up and running successfully. But what we're finding is that we actually cannot issue any certs from this intermediate CA.
When we use the management console and attempt to issue a requested cert, the cert ends up in "Failed Requests" with the message:
Active Directory Certificate Services denied request 4 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).
The request was for CN=obelisk.sand.idfconnect.lan, OU=IDFC, O="IDF Connect, Inc.", L=Wilmington, S=Delaware, C=US. Additional information: Error Constructing or Publishing Certificate Resubmitted by OBELISK\Administrator
If I look at the request, I can see the is defined as:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk Intermediate CA.crl (file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk%20Intermediate%20CA.crl)
If I use IE to browse that file:// url, it pops open Windows Explorer, where I see the files I'd expect, i.e.
nsrev_Obelisk Intermediate CA.asp
Obelisk Intermediate CA.crl
Obelisk Intermediate CA+.crl
obelisk.sand.idfconnect.lan_Obelisk Intermediate CA.crt
Lastly, when I view the properties of the intermediate CA from the MMC, and look at its certificate, at the bottom of the details it says: "Extended Error Information: Revocation Status : The revocation function was unable to check revocation for the certificate."
Any advice to get this intermediate CA working greatly appreciated!
Add the public root certificate to the machine store (certlm.msc) trusted root certificate authorities.
Add the public root certificate CRL to the machine store (certlm.msc) trusted root certificate authorities.