OpenSSL configuration file

1. Default location of OpenSSL configuration file on Ubuntu 18.04.2 LTS : /usr/lib/ssl/openssl.cnf and /etc/ssl/openssl.cnf
2. subjectAltName (SAN/Subject Alternative Name 主题备选名称) : subjectAltName specifies additional subject identities
3. basicConstraints = critical, CA:TRUE --- The _Basic Constraints _extension is used to mark certificates as belonging to a CA, giving them the ability to sign other certificates. Non-CA certificates will either have this extension omitted or will have the value of CA set toFALSE. This extension is critical, which means that all software-consuming certificates must understand its meaning.

4. Generate the root CA.

   ```bash

   生成RSA私钥(无加密)

   openssl genrsa -out ca.key 2048

   生成 RSA 私钥和自签名证书 Generate a Self-Signed Certificate from an Existing Private Key

   openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=kubernetes/O=k8s"

   The genrsa command generates an RSA private key.

   参数说明：

   -new 指生成证书请求
   -x509 表示直接输出证书;this option outputs a self signed certificate instead of a certificate request.

     This is typically used to generate a test certificate or a self signed root CA. The extensions  
     added to the certificate \(if any\) are specified in the configuration file. Unless specified using  
     the set\_serial option, a large random number will be used for the serial number.  
   

   -key 指定私钥文件
   -days 指定证书过期时间为10000天
   -out 导出结束后证书文件
   -subj 输入证书拥有者信息，这里指定 CN 以及 O 的值

   重要的CN以及关键参数：

   -subj 设置CN以及0的值很重要，kubernetes会从证书这两个值对应获取相关的用户名以及用户租的值，如下：
   "CN"：Common Name，kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name)；浏览器使用该字段验证网站是否合法；
   "O"：Organization，kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)；

Generate a certificate signing request (CSR) for an existing private key
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kubernetes/O=k8s" -config openssl.cnf

-config filename

this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in theOPENSSL_CONFenvironment variable.

Sign child certificate using your own “CA” certificate and it’s private key. If you were a CA company, this shows a very naive example of how you could issue new certificates:

openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 3650 -extensions v3_req -extfile openssl.cnf

-req: by default a certificate is expected on input. With this option a certificate request is expected instead.

-in filename : This specifies the input filename to read a certificate from or standard input if this option is not specified.

-CA filename : specifies the CA certificate to be used for signing. When this option is present x509 behaves like a "mini CA". The input file is signed by this CA using this option: that is its issuer name is set to the subject name of the CA and it is digitally signed using the CAs private key.
-CAkey filename: sets the CA private key to sign a certificate with. If this option is not specified then it is assumed that the CA private key is present in the CA certificate file.
-CAcreateserial : with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will have the 1 as its serial number. Normally if the -CA option is specified and the serial number file does not exist it is an error.

-extensions section: the section to add certificate extensions from.

-extfile filename: file containing certificate extensions to use. If not specified then no extensions are added to the certificate.

```

1. Print textual representation of the certificate:
   openssl x509 -in ca.crt -text -noout

2. Verify that private key matches a certificate and CSR:
   openssl x509 -noout -modulus -in ca.crt | openssl sha256

3. Verify CSR
   openssl req -in apiserver-etcd-client.csr -verify

4. Verify child certificate
   openssl verify -CAfile etcd/ca.crt apiserver-etcd-client.crt

5. Verify self-signed root certificate

   1. sudo mkdir /usr/share/ca-certificates/extra

   2. sudo cp rootcert.pem /usr/share/ca-certificates/extra/rootcert.crt

   3. sudo dpkg-reconfigure ca-certificates

   4. sudo update-ca-certificates

   5. openssl verify rootcert.crt

6. ff

7. Blogs

8. Openssl.conf Walkthru

9. x509v3_config - X509 V3 certificate extension configuration format