Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

Create unique CN for generated CA certificates #463

Closed
ddz opened this issue Mar 26, 2017 · 2 comments
Closed

Create unique CN for generated CA certificates #463

ddz opened this issue Mar 26, 2017 · 2 comments
Labels
awaiting reply good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Milestone
backlog

Comments

@ddz
Copy link

ddz commented Mar 26, 2017

When creating multiple test clusters, the generated self-signed CA certificates can confuse clients like Chrome because they all have the same CN. It also becomes difficult to trust these individual root CA certificates in various client software. This can be reproduced simply by creating two clusters with self-generated certificates and trying to log into the web dashboard of the second cluster will fail with HSTS errors because the CA is invalid (not just untrusted).

If the CNs of the generated CA certificates were unique, client software would have an easier time dealing with them. I would propose putting the given fqdn or some other unique information into the CN for the generated CA certificate.
@mumoshu mumoshu added this to the backlog milestone May 12, 2017
@mumoshu
Copy link
Contributor

mumoshu commented May 12, 2017

@ddz Sorry for the long silence - and thanks for the feedback!
Your suggestion sounds nice.
However, for my education, would you mind telling me how are you exposing your kube-dashboard?
Personally, I've been used kubectl proxy for accessing the dashboard and never thought of adding certs as trusted.

@ddz
Copy link
Author

ddz commented May 31, 2017

I was using https://github.com/coreos/tectonic-installer and traced the certificate creation to this upstream project. The kube dashboard was directly exposed to the Internet from AWS, which isn't the greatest idea security-wise, but being able to trust the generated certificate in the browser makes it slightly better.

@mumoshu mumoshu added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Nov 22, 2017
This was referenced Dec 5, 2018
Closed
Closed
Closed
Closed
sonant added a commit to sonant/kube-aws that referenced this issue Dec 5, 2018
@sonant
CA self-genereted cert: add the cn flag
d2ce041 
all self-signed CA have the samee CN and this can confuse clients like
Chrome. Now we can set different CN

Fixes kubernetes-retired#463
@sonant sonant mentioned this issue Dec 5, 2018
Merged
davidmccormick pushed a commit that referenced this issue Dec 10, 2018
@sonant @davidmccormick
CA self-genereted cert: add the cn flag (#1512)
1a33688 
all self-signed CA have the samee CN and this can confuse clients like
Chrome. Now we can set different CN

Fixes #463
kevtaylor pushed a commit to HotelsDotCom/kube-aws that referenced this issue Jan 9, 2019
@sonant
CA self-genereted cert: add the cn flag (kubernetes-retired#1512)
5be59f4 
all self-signed CA have the samee CN and this can confuse clients like
Chrome. Now we can set different CN

Fixes kubernetes-retired#463
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
awaiting reply good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
2 participants
@mumoshu @ddz