Add subjectAltName to calico-apiserver certificate (#8907)
* Add AltName to calico-apiserver certificate * fix support for centos7 openssl
This commit is contained in:
parent
b2346cdaec
commit
a4f752fb02
2 changed files with 8 additions and 1 deletions
|
@ -18,3 +18,10 @@ basicConstraints = CA:TRUE
|
|||
keyUsage = cRLSign, digitalSignature, keyCertSign
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer
|
||||
|
||||
[ ssl_client_apiserver ]
|
||||
extendedKeyUsage = clientAuth, serverAuth
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
subjectAltName = DNS:calico-api.calico-apiserver.svc
|
||||
|
|
|
@ -87,7 +87,7 @@ elif [ $SERVICE == "apiserver" ]; then
|
|||
# calico-apiserver
|
||||
openssl genrsa -out apiserver.key {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=calico-apiserver" -config ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client_apiserver -extfile ${CONFIG} > /dev/null 2>&1
|
||||
else
|
||||
echo "ERROR: the openssl configuration file is missing. option -s"
|
||||
exit 1
|
||||
|
|
Loading…
Reference in a new issue