I have a certificate that I use for https on a web server and I would like to use my puppet master to sign the certificate. I have the certificate generate but I do not know how to interact with the Puppet master. How can I sign an external certificate with the puppet master?
thanks in advance,
Related
My service (with no ingress) is running in the amazon EKS cluster and I was asked to provide a CA signed cert for a third party that consumes the API hosted in the service. I have tried provisioning my cert using certificates.k8s.io API but it is still self-signed I believe. Is there a CA that provides certification for services in the Kubernetes cluster?
Yes, Certificates created using the certificates.k8s.io API are signed by a dedicated CA. It is possible to configure your cluster to use the cluster root CA for this purpose, but you should never rely on this. Do not assume that these certificates will validate against the cluster root CA.
Refer this Certificate Signing Request Process
I'm trying to create a self signed certificate on win server 2012r2 machine using Powershell. The intent is to redirect traffic from HTTP to HTTPS.
a. do we always need a self signed Root certificate before we create a client certificate? If yes, how do we repurpose an existing self signed Root certificate?
b. If we are using the existing self signed Root certificate to create a client certificate, the Powershell commands that I see are not compatible with win2012R2. can someone share the version specific commands?
You can create a self-signed certificate with this command in Server 2019
https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2019-ps
You can try the PSPKI module on server 2012R2
https://github.com/PKISolutions/PSPKI
it contains the command New-SelfSignedCertificateEx that creates a self-signed cert.
A bunch of other methods to create self signed certs: https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8
In IIS you need to bind the certificate to your website. The certificate will not be trusted by your clients because it is self-signed. However, you can import the self-signed certificate to your client's local certificate store.
In case you want to build a proper environment, a PKI is needed.
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx
Quick question, in Rancher is it possible to use lets-encrypt to sign the k8s TLS certs (etcd, kub-api, etc). I have a compliance requirement to sign my k8s environment with a valid trusted CA chain?
Yes, it is actually one of the recommended options for the source of the certificate used for TLS termination at the Rancher server:
Let’s Encrypt: The Let’s Encrypt option also uses cert-manager.
However, in this case, cert-manager is combined with a special Issuer
for Let’s Encrypt that performs all actions (including request and
validation) necessary for getting a Let’s Encrypt issued cert.
In the links below you will find a walkthrough showing how to:
Install cert-manager
Install Rancher with Helm and Your Chosen Certificate Option
This option uses cert-manager to automatically request and renew Let’s
Encrypt certificates. This is a free service that provides you with a
valid certificate as Let’s Encrypt is a trusted CA.
Please let me know if that helped.
We're using Fabric secure cluster and need client certificate for CI/CD tools.
I've created both Cluster primary certificate and client certificate with this script https://gist.github.com/kagarlickij/d63a4061a1066d3a85abcc658f0856f5
so both have been uploaded to the same Kay vault and both have been installed to local keystore on my machine.
I've added client certificate to my Fabric security settings (Authentication type = Admin client, Authorization method = Certificate thumbprint).
The problem is that I can connect (I'm using Connect-ServiceFabricCluster in PowerShell) to Fabric cluster with Cluster primary certificate but can't with Client certificate.
I'm getting this error: Connect-ServiceFabricCluster : FABRIC_E_SERVER_AUTHENTICATION_FAILED: 0x800b0109
Please advice what can be done?
Based on this link the corresponding error code for 0x800b0109 is:
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider.
You're using a self-signed certificate as client cert. I'm not sure it's supported as explained in the Service Fabric Security documentation, moreover you'll have to make sure the SSL certificate has been added inside your local Store.
Client X.509 certificates
Client certificates typically are not issued by a third-party CA.
Instead, the Personal store of the current user location typically
contains client certificates placed there by a root authority, with an
Intended Purposes value of Client Authentication. The client can use
this certificate when mutual authentication is required. Note
All management operations on a Service Fabric cluster require server certificates. Client certificates cannot be used for management.
I had the same issue managing my cluster through powershell, I only had 1 cert on the cluster (the one azure generates when creating the cluster) and I believe it is a client cert since I have to select it in my browser when managing the cluster.
Ultimately I had to add the self signed cert to my Root certificate store (in addition to my personal store where I already had it) to get the powershell module to stop complaining about it.
I have a website running on a shared hosting provider (ie. without SSH access). CPanel is installed. Is it possible to install (and just as importantly, renew) a Let's Encrypt certificate automatically without SSH access? Perhaps a CPanel plugin or cron job (for automatic renewals)?
follow this tutorial to for auto renewal https://neurobin.org/docs/web/fully-automated-letsencrypt-integration-with-cpanel/
You can install Lets encrypt SSL using cPanel ssl/tls -->Install and Manage SSL for your site (HTTPS) --> Manage SSL Sites. To renew certificate you need to regenerate it using your account key and Certificate provided by Lestencrypt in first time. I have done successfully that on GreenGeeks shared hosting help of http://wayneoutthere.com/how-to-lets-encrypt-cpanel-shared-hosting/. You can use https://zerossl.com/free-ssl/#crt to generate Certificates and copy to Cpanel.
You can try to install SSL on your domain through cPanel >> Security >> SSL.
If you are unable to find this in your cPanel then you need to install SSL on your domain through WHM.
You will need Let's Encrypt itself to be installed on the server before running any plugin or crontab job (specially that).
I doubt there is a way to do that without SSH connection, specially on a shared server.