c12s-kubespray/roles/network_plugin/calico/files/openssl.conf

req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment

[ ssl_client ]
extendedKeyUsage = clientAuth, serverAuth
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_ca ]
basicConstraints = CA:TRUE
keyUsage = cRLSign, digitalSignature, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

[ ssl_client_apiserver ]
extendedKeyUsage = clientAuth, serverAuth
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = DNS:calico-api.calico-apiserver.svc
Generate TLS certs for calico typha (#5258) * Generate TLS certs for calico typha Change-Id: I3883f49c124c52d0fc5b900ca2b44e4e2ed0d707 * Add group vars note Change-Id: I63550dfef616e884efdbd42010a90b2c04c5eb69 2019-10-17 14:02:38 +00:00			`req_extensions = v3_req`
			`distinguished_name = req_distinguished_name`

			`[req_distinguished_name]`

			`[ v3_req ]`
			`basicConstraints = CA:FALSE`
			`keyUsage = digitalSignature, keyEncipherment`

			`[ ssl_client ]`
			`extendedKeyUsage = clientAuth, serverAuth`
			`basicConstraints = CA:FALSE`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid,issuer`

			`[ v3_ca ]`
			`basicConstraints = CA:TRUE`
			`keyUsage = cRLSign, digitalSignature, keyCertSign`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid:always,issuer`
Add subjectAltName to calico-apiserver certificate (#8907) * Add AltName to calico-apiserver certificate * fix support for centos7 openssl 2022-06-06 14:38:23 +00:00
			`[ ssl_client_apiserver ]`
			`extendedKeyUsage = clientAuth, serverAuth`
			`basicConstraints = CA:FALSE`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid,issuer`
			`subjectAltName = DNS:calico-api.calico-apiserver.svc`