0

I'm trying to create a Kubernetes service that uses TLS (in order to be called from an admissionWebhook). Unfortunately, the service calls fails with the following error message:

certificate relies on legacy Common Name field, use SANs instead

From what I gathered in different questions on SO and Provide subjectAltName to openssl directly on the command line, I should add the option addext to the openSSL command that generates the CSR.

As a consequence, I just updated my script to include it:

  # generate a private key
  openssl genrsa -out ./certs/server.key 2048

generate a certificate signing request


openssl req -new -key ./certs/server.key -out ./certs/server.csr 

    -subj "/C=US/ST=CA/L=San Francisco/O=Acme Inc./CN=nginx-service.default.svc" 

    -addext "subjectAltName = DNS:nginx-service.default.svc"


generate a certificate signed by the CA certificate


openssl x509 -req -days 365 -in ./certs/server.csr 

    -CA ./ca/server-ca.crt -CAkey ca/server-ca.key -set_serial 01 

    -out ./certs/server.pem

But the DNS name does not show up when I inspect the certificate (openssl x509 -in ./certs/server.pem -text -noout):

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = k3s-server-ca@1699974887
        Validity
            Not Before: Nov 14 15:44:54 2023 GMT
            Not After : Nov 13 15:44:54 2024 GMT
        Subject: C = US, ST = CA, L = San Francisco, O = Acme Inc., CN = nginx-service.default.svc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8c:73:b0:d0:70:96:7b:91:bd:ed:5d:70:93:d6:
                    1f:93:d4:21:2a:c9:e9:a7:2f:fa:20:a2:0e:9a:c7:
                    7d:45:2f:ff:e2:05:af:4b:cc:e5:d7:ef:cd:ca:76:
                    dd:aa:0d:95:5b:89:f4:32:d4:3e:71:16:83:c1:4f:
                    72:28:fa:fe:a4:f4:d9:d8:b7:1c:cf:1b:59:72:07:
                    0a:44:a4:77:52:b3:a5:7c:d7:1c:bc:6a:93:c2:68:
                    bd:0e:69:e0:63:b8:2f:b5:7d:8a:67:a5:88:8f:f6:
                    e7:9b:3f:c7:37:05:17:be:83:5a:ae:2c:e0:a9:74:
                    c0:17:27:b8:a1:b9:35:70:59:db:f0:94:60:e7:30:
                    62:a2:ce:a1:d1:88:58:8a:f0:5a:0f:17:bd:da:e7:
                    c1:29:06:31:e2:8c:c6:42:9a:75:44:5c:6a:f5:b6:
                    b7:ac:1c:dd:71:9d:c4:c2:93:d3:bc:4b:05:02:76:
                    2a:7d:f3:a8:de:4f:74:a1:5c:84:27:86:9f:97:9f:
                    3d:41:f9:6a:a7:ef:4b:20:53:b9:8d:c6:33:11:fb:
                    35:c6:16:4f:93:2b:2c:1c:5b:b9:44:da:33:a2:b2:
                    43:49:e2:d9:50:28:27:ff:e0:e9:60:8f:dd:f7:c5:
                    e0:59:61:b1:f8:d2:3e:26:e3:24:91:6f:32:69:1d:
                    c1:dd
                Exponent: 65537 (0x10001)
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:46:02:21:00:8e:ae:18:11:84:03:d9:d3:28:47:94:df:13:
        5d:32:04:41:52:80:9e:4a:ab:a0:2c:60:e1:63:25:a8:bf:44:
        63:02:21:00:e6:71:55:23:50:a7:12:95:2d:41:e3:76:a4:29:
        75:b6:ac:96:25:d2:76:17:ba:7f:67:51:b1:36:67:1a:f2:c7

I'm running openSSL from a mac: OpenSSL 3.1.3 19 Sep 2023 (Library: OpenSSL 3.1.3 19 Sep 2023)

What am I missing here?

schroeder
  • 129,372
  • 55
  • 299
  • 340
E. Jaep
  • 111
  • 3

0 Answers0