Skip to content

Commit

Permalink
Alwyays use sha256 when generating self-signed certs
Browse files Browse the repository at this point in the history 
When using LibreSSL 2.8.3 the generated certs are using SHA1. This
causes istiod to fail to start up due to changes in go 1.18 (see
golang/go#41682).

This also fixes the instructiosn for
https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/
  • Loading branch information
@jacob-delgado @istio-testing
jacob-delgado authored and istio-testing committed Nov 28, 2022
1 parent ffb6edc commit 9142f03
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions tools/certs/Makefile.selfsigned.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ root-ca: root-key.pem root-cert.pem

root-cert.pem: root-cert.csr root-key.pem
@echo "generating $@"
@openssl x509 -req -days $(ROOTCA_DAYS) -signkey root-key.pem \
@openssl x509 -req -sha256 -days $(ROOTCA_DAYS) -signkey root-key.pem \
-extensions req_ext -extfile root-ca.conf \
-in $< -out $@

root-cert.csr: root-key.pem root-ca.conf
@echo "generating $@"
@openssl req -new -key $< -config root-ca.conf -out $@
@openssl req -sha256 -new -key $< -config root-ca.conf -out $@

root-key.pem:
@echo "generating $@"
Expand All @@ -51,15 +51,15 @@ root-key.pem:

%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem
@echo "generating $@"
@openssl x509 -req -days $(INTERMEDIATE_DAYS) \
@openssl x509 -req -sha256 -days $(INTERMEDIATE_DAYS) \
-CA root-cert.pem -CAkey root-key.pem -CAcreateserial\
-extensions req_ext -extfile $(dir $<)/intermediate.conf \
-in $< -out $@

%/cluster-ca.csr: L=$(dir $@)
%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf
@echo "generating $@"
@openssl req -new -config $(L)/intermediate.conf -key $< -out $@
@openssl req -sha256 -new -config $(L)/intermediate.conf -key $< -out $@

%/ca-key.pem:
@echo "generating $@"
Expand All @@ -82,15 +82,15 @@ root-key.pem:

%/workload-cert.pem: %/workload.csr
@echo "generating $@"
@openssl x509 -req -days $(WORKLOAD_DAYS) \
@openssl x509 -sha256 -req -days $(WORKLOAD_DAYS) \
-CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\
-extensions req_ext -extfile $(dir $<)/workload.conf \
-in $< -out $@

%/workload.csr: L=$(dir $@)
%/workload.csr: %/key.pem %/workload.conf
@echo "generating $@"
@openssl req -new -config $(L)/workload.conf -key $< -out $@
@openssl req -sha256 -new -config $(L)/workload.conf -key $< -out $@

%/key.pem:
@echo "generating $@"
Expand Down

0 comments on commit 9142f03

Please sign in to comment.