infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

step-ca: Re-deploy (again) with DCH CA R2 

Although most libraries support ED25519 signatures for X.509
certificates, Firefox does not.  This means that any certificate signed
by DCH CA R3 cannot be verified by the browser and thus will always
present a certificate error.

I want to migrate internal services that do not need certificates
that are trusted by default (i.e. they are only accessed programatically
or only I use them in the browser) back to using an internal CA instead
of the public *pyrocufflink.net* wildcard certificate.  For applications
like Frigate and UniFi Network, these need to be signed by a CA that
the browser will trust, so the ED25519 certificate is inappropriate.
Thus, I've decided to migrate back to DCH CA R2, which uses an EdDSA
signature, and can therefore be trusted by Firefox, etc.
etcd
Dustin 2024-04-05 13:03:34 -05:00
parent 5c34fdb1c6
commit 3ba83373f3
5 changed files with 39 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
dch-root-ca/dch-root-ca.crt
View File

@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
DaY+6wQ=
MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
-----END CERTIFICATE-----

11
step-ca/README.md
View File

@ -10,18 +10,19 @@ OpenID Connect, mTLS, and more.
## Offline Root CA
The *DCH Root CA R3* private key is managed externally from Step CA. It is
The *DCH Root CA R2* private key is managed externally from Step CA. It is
stored offline (on a flash drive in a fireproof safe). Only the CA certificate
is used by the online CA service, where it is provided to clients to include in
as a trust anchor in their respective certificate stores.
*DCH Root CA R3* replaces *DCH Root CA R2*, which never ended up being used,
and *DCH Root CA R1*, which has not been used for some time.
*DCH Root CA R2* replaces *DCH Root CA R1*, which has not been used for some
time. *DCH Root CA R3* also exists, but it is based on an ED25519 signature,
which is not supported by Firefox.
## Online Intermediate CA
Step CA manages the *DCH CA R3* intermediate certificate authority. The
Step CA manages the *DCH CA R2* intermediate certificate authority. The
private key for this CA is stored in the `intermediate_ca.key` file, encrypted
with the password in `password`. This key pair is needed by the online CA to
sign end-entity certificates.
@ -29,7 +30,7 @@ sign end-entity certificates.
### ACME Provisioner
Hosts can obtain certificates signed by *DCH CA R3* using the ACME protocol.
Hosts can obtain certificates signed by *DCH CA R2* using the ACME protocol.
The CA will only sign certificates for names that map to addresses controlled
by the requesting client. For most machines, that means they can only get a
certificate for their hostname. Other names can be added using DNS CNAME

24
step-ca/intermediate_ca.crt
View File

@ -1,15 +1,13 @@
-----BEGIN CERTIFICATE-----
MIICTzCCAgGgAwIBAgIUDNTFsSYYl8xsEcg9kTatxvOSkmUwBQYDK2VwMEAxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjk0M1oXDTI1MDIxNzIwMjk0M1owOzEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDESMBAGA1UEAwwJ
RENIIENBIFIzMCowBQYDK2VwAyEA50stJ8iW6/f+uECPxAJwpSfQDRQg4/AgKJY2
lpd3uNijggEQMIIBDDAdBgNVHQ4EFgQUtiqtFaZZ/c4IfWXV5SjJIOPbmoowHwYD
VR0jBBgwFoAUtmjEAcG9apstYyBr8MACUb2J2jkwEgYDVR0TAQH/BAgwBgEB/wIB
ADALBgNVHQ8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwG
CCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cHM6Ly9kdXN0aW4uaGF0Y2gu
bmFtZS9kY2gtY2EvZGNoLXJvb3QtY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2GK2h0
dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1jYS5jcmwwBQYDK2Vw
A0EAACaKAJAKejpFXQV+mgPdDXaylvakc4rCEs1pFhPXbbMMGflNOeiiy+c+aMwt
yfObaZ8/YiXxCSjL6/KzRSSjAQ==
MIICCTCCAa+gAwIBAgIUZx82NjARN6f1jWUlq/mvaF7oscEwCgYIKoZIzj0EAwIw
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMxMDE2MDU0MTA4WhcNMjYxMDE2MDU0MTA4
WjAUMRIwEAYDVQQDEwlkY2gtY2EgUjIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AAQ1rK98igj6Y5lbeP8HS1zqQCtkcmz8uk1jp4VgznWT3Q8BanjA55UHQi/xx4xz
BYu4QIkJhtqcR5a7YXSr7fQvo4GyMIGvMB0GA1UdDgQWBBQGy1GZZxrCjGDiIGdR
YhTMZZqhkTAfBgNVHSMEGDAWgBTM+d8kb1koGmKRtJs4gN9zYa+6oTASBgNVHRMB
Af8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBhjBMBggrBgEFBQcBAQRAMD4wPAYIKwYB
BQUHMAKGMGh0dHBzOi8vZHVzdGluLmhhdGNoLm5hbWUvZGNoLWNhL2RjaC1yb290
LWNhLmNydDAKBggqhkjOPQQDAgNIADBFAiEAovkqUlWkbRXsoHrDv1AfHdox9gS2
Fdq9wKfDk7H/aPoCIDs4CJBhdPh/a+HZZRQWxBTT3KbbdXAaiT+g/VyD+0qt
-----END CERTIFICATE-----

19
step-ca/root_ca.crt
View File

@ -1,11 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
DaY+6wQ=
MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
-----END CERTIFICATE-----

4
step-ca/secrets.yaml
View File

@ -10,8 +10,8 @@ metadata:
app.kubernetes.io/part-of: step-ca
spec:
encryptedData:
intermediate_ca.key: AgA4MOOCi8WvBSqyGw6T1wrK7zGgC7kvHYNpgZpZlBq3ZcW4l2d/huT7SbpIUQZN8OhLsgsZqK73VisFRsTG//KrMsJ+CCv6DSpaoEEL0LzUFWVldK27oZ3CDfAo6pZS50M8DSzcA7foxvw7++DSnytS9ken6qu2Azf3iFOFetES23XMT7IIFfcJz+qgBVGIOrxYULj19Y3EZD++kgRM22pCSrnoOQHJV3DOE6SjMZfg9Nhbg7Z5jrpsoM5w7QXd3g8jfsOS0Yv+95CL5SgTtJBAPqVi/2bK7nPuQxGFBy/qhwktzeeagOgFwe5McnEL0aB8K7GQEhOeIiHNSf/AAffronCdGapHQcthAA9CD3P4qXHogiY6x6JgqOXaZ3/BNF4gIlEJoJV36Z51BZUpZLakqOcxw2XNungITq4XMZqUybyqq/oHZEjcqqwSgeHtGJ7aaCAdV1AK4J8kNYXSs0+JcKU+1BzCDTB2YY1nT3uXz5g2d6eLlAe3S6pLDBdZGfyXv4e/nS9ouhdQm9qknNt2hqLAkm5u2g0C6MWYqgCKKdWQBg0JrLvN799zOj5FOGFOEa+gA2t6WwpVeiuo/6Xhn2WtkU710cXdblROM/DWoiI7YUxG4GsmzZOG/1TsbGTPoP1+evxD+VxCIOag6yxBCHnrpUVyCwdp7GLH/+72KyKClhJLb/ub/MKKVTlsWk0JhP3EhfvChO4tbeFMjeGt7afuKKghRt3ZXjAAZFW28qx5oLvirRoUSKOdEU+jE0RWFFeB0Qac9Hz9BFM5iAhdlcpGOOi5bGeMqR/nGlTRV9oUENeopiHBvVXfXr88yumVDE7FzXy4RyC4hypQFddS7kVR3MYoA9c6hWrCAAiuooOKa1JhdfhdlvlQij9PAJW921ClBBXcB2ykcivcrJd6GPAzCHOj6cQjUDeTwarKqZGf1PdtNnCsU1r1V0MOqyuhNjZZ4ZoGEGlq3r3TJY8Hh/+w//ZTpbvHpTUD2rhQjXuVyzqBpU2z5SoFt23U7sV/8+LizZMKfJl9fveJU/CbZ3bGC756ZhpHykbX7bgy9Q0iBg9ke1w+7lepsZVZKhlfnQ==
password: AgAspVB0c402ymidL6YoRTRtmPekLZHlQXtZecftoakjm75OArueAnH+1dquknV4MJ7g8XUVLkguh4lKkNPxjCs2Jen5UM+aSxoqii/2KdTAIb1WINebDOhyj3lY8aZw9+qeDfc5590+x+8jASwm7rVf6QfGygdjwQ6D6xeNUC7xwU3bC8xH9mHq2wSKbI6iGAik4Di7Ma4bvm/nTNfB+Ogb7rdLoJsvDDFbZ1io3wWNJGsWleged2HRPPwkmGq7pkxE2xUpjgbqeWX0y8RbNLC6DwsE3mUce9hanfLvxJVCDMnbUKfUYUxULBMFpheT6lmyz1YgFu+NiuSFvX3An4PNfgeQ2Hl931qfoG9h2kX4wyYcJt0ELZ2tdcrSS7zWgNNx450LuWmGQPvhApLhH2U7CUsSrjbWS/NZKMHuZryp0sEtykoEOOtNezU5slSY/0aB9XWFDu78RaYJOZy1VqGy+ulWkhCFv+3D2MEF6JJXmI4RNTdWmUQx1hr85uTS9Xi6stovkLMHxrEJfDI581yZv7Z9DrSssp5U4Ydf3gjKN7UTgFXrSz25R7SJ4lYso7yHhka9L2YMuIuPS7iPg1F+RPjiG6KAxP3roqRfeMXP3LoDn/21pYsO1QNrq2fBLXaO8Wq0hRXaICZzGveWdeM8sIbjBNqxjb50YtmkF/bDI8BY/sogPWitzDDyNU3bVS5Qyl0AaTHasGzJ9Es26Q4C0GHLd3iVQq0GTSsmtUbZGg==
intermediate_ca.key: AgBArqvWXQHJwubw/7jOBtErH4BNpq+B1nsoTuhsmmE7COhRROko9wwYcfLfeJHkul1uXmp6JNmAde2xs6uJlbHwTDIRlUld2tAo2O20PHaDNq8/poqkk7LNnvjbwC73tul+Gxiot8WEfFM4eP98wYHePrX6q0/LAzyH/6Js8YgBKzLt4sIRi5E49m0C2s9uy5u1e3DcHNZTIlkntYi8zNmk+QEBHkqkeqvdGZ+yqH5e78AasF4qPfKw7WoFm3PH2/tKRfDpBXfvdTxrRy9FzqmmhdGVmbaeQcJ+Yl8H6qNd1BiqpAPkIDwAC9/LfH4Sd/iM59TdeOKsZpvEJZOyWLm1KbJz13wPfnGs/QvArwtuA95UQfzPYGFx9qur/nz3nsBvTvqFyAU+QHGSOnjig5ZppIb+Yr9foWuSqDV0qcfXEdjLzyc19lzS1e+itRLR1414Maaru4poPcg7xUQCs88oGvYAUi27p8xRXynGXtZwTK/GSWXFGxkzw1DtVcbGa/P23sCSnMLOsrajvvJYD2aCHZ6fKSUT+tddCoZhohM112uA6wNWBUx00uFgWUGZloe6MPVHnCStAwBxClXi+pREnSEk091nuSYzsTZarweUOJs8tLO2g2bEQ2BQCsCMbkNLjc6SSJa+Lu2Yb7uCUdwbLAZDf289f8SGmzsf/C7/Xbcmu0smrf5bb6ZUnacrWtCgrnPRJNMSXCY51awo3cj9c3X/v6pQVbjj+fTxDUIIaI9OcfvPJksapgsR8Olqffi8SlN3fvETOmVGVNAK11xy7qMmpz9Fck3z93NXUDNHMxteVic+8aHZgwv4wh+ixMldtCBiGWciavKWd7APSQjyvDwT4tTIi7QWa78+CBz/0Z3eDwDUHt5ryXlWeYRufrOTsGQJ9cfQgr8STgC00oghUaAtZ8y3cIOdVrwDCe1Yi9Dp2KlxzLLa+zYdagbmb8ygOZg65yW0Oy3q+sD1MSkrUQi/RDPjRB8kF+4t2MIZ00jQ7geIkhnh3TvislEqHbV5ZjKBZ2Gw4An+q4CB4EtM0DYKGGw7xvPyCqvs9E7WzSxyGL8+dNkEw/jASoHwJcufaXDXFgENuLn7OyCpsMMBZYti+V9SIOTNOQ==
password: AgAnwKicJ7yut9B3J22XYdqzGzHxh3kXCAozIZu9v1IxSTWb1txkF1aJM64ooog/IpUtoF88v6XzGTDDsAsbXtQbu7Y2s77zQXIOIj+Vri2kZAQyRdCDa70heUdPxo9haIizZvtJHH+dRxVqQ+YSXpPlbLag46RMvMHlUZjbPLxwTrOWVwHW2uVJJke7RiB99z1xOIV8nlD0NjdH9Ig1pnUikm4+GfiZBw/PjieYbjk5U8IABBfx1jjJPLFk2TlzsCyz8JyGr+Gf8DvCxRS43Wwtbn0ks2aFn/eZBMHK+XatjImtYSNUa4eIbjHD1RdQ03yZy83D8LdpYMl+z3PLYLrdIDkv7VBT875KjHoYGIMdjSkuNHuooOcdyJrN7bMRpODfzTXREoiY+4p1wHbLlOXOubxY/ULV6FAIMe9RSWVhmWMxV1INYwZuoNUr2pa29rBrIinF8Hc5Kcr2lhEZ9kpnrkC4MFpMjdW7QsOhpFnW2hIE2xWXc/vZgQ6q+8jJrMQwwrGcn+CEaFTSoVsXYaBwUnsOzMCNyHaNfyX03eQE9wNlXz0dppGoHJpb5ny+fviMhFS6kEXiieElRaTL8erGr0Ivtn+St5RaqD8mDpP36YrQ8YWpTMoyLSllRG4X1hiCorcjevZq2pJuP5+hs0HhtVW9vZS3iLGzHzjqyMJDvlml6Xd+AyvoylC38uncivF8NtHhIoeAgzlOZjYRxodPkLxAOfoVTlCzMexH+fsShwM=
template:
metadata:
name: step-ca