VERIFIED [jsingh@localhost templates]$ oc get cm NAME DATA AGE jenkins-1-ca 1 28s jenkins-1-global-ca 1 28s jenkins-1-sys-config 0 28s jenkins-trusted-ca-bundle 1 9s ======================================================== 0) Pre-steps to hold the entire custom CA structure: ~~~ [RootCA] $ cd /path/to/safe/storage/customCA $ mkdir -p example.net.ca/root-ca/{certreqs,certs,crl,newcerts,private} $ cd example.net.ca/root-ca $ chmod 700 private $ touch root-ca.index $ echo 00 > root-ca.crlnum $ openssl rand -hex 16 > root-ca.serial [IntermediateCA] $ cd /path/to/safe/storage/customCA $ mkdir -p example.net.ca/intermed-ca/{certreqs,certs,crl,newcerts,private} $ cd example.net.ca/intermed-ca $ chmod 700 private $ touch intermed-ca.index $ echo 00 > intermed-ca.crlnum $ openssl rand -hex 16 > intermed-ca.serial ~~~ 1) Create RootCA config file as follows: ~~~ $ cd example.net.ca/root-ca $ cat root-ca.cnf # # OpenSSL configuration for the Root Certification Authority. # # # This definition doesn't work if HOME isn't defined. CA_HOME = . RANDFILE = $ENV::CA_HOME/private/.rnd # # Default Certification Authority [ ca ] default_ca = root_ca # # Root Certification Authority [ root_ca ] dir = $ENV::CA_HOME certs = $dir/certs serial = $dir/root-ca.serial database = $dir/root-ca.index new_certs_dir = $dir/newcerts certificate = $dir/root-ca.cert.pem private_key = $dir/private/root-ca.key.pem default_days = 1826 # Five years crl = $dir/root-ca.crl crl_dir = $dir/crl crlnumber = $dir/root-ca.crlnum name_opt = multiline, align cert_opt = no_pubkey copy_extensions = copy crl_extensions = crl_ext default_crl_days = 180 default_md = sha256 preserve = no email_in_dn = no policy = policy unique_subject = no # # Distinguished Name Policy for CAs [ policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = supplied organizationalUnitName = optional commonName = supplied # # Root CA Request Options [ req ] default_bits = 4096 default_keyfile = private/root-ca.key.pem encrypt_key = yes default_md = sha256 string_mask = utf8only utf8 = yes prompt = no req_extensions = root-ca_req_ext distinguished_name = distinguished_name subjectAltName = @subject_alt_name # # Root CA Request Extensions [ root-ca_req_ext ] subjectKeyIdentifier = hash subjectAltName = @subject_alt_name # # Distinguished Name (DN) [ distinguished_name ] organizationName = example.net commonName = example.net Root Certification Authority # # Root CA Certificate Extensions [ root-ca_ext ] basicConstraints = critical, CA:true keyUsage = critical, keyCertSign, cRLSign nameConstraints = critical, @name_constraints subjectKeyIdentifier = hash subjectAltName = @subject_alt_name authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # Intermediate CA Certificate Extensions [ intermed-ca_ext ] basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, keyCertSign, cRLSign subjectKeyIdentifier = hash subjectAltName = @subject_alt_name authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # CRL Certificate Extensions [ crl_ext ] authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy # # Certificate Authorities Alternative Names [ subject_alt_name ] URI = http://ca.example.net/ email = certmaster # # Name Constraints [ name_constraints ] permitted;DNS.1 = example.net permitted;email.1 = example.net # # Certificate download addresses for the root CA [ auth_info_access ] caIssuers;URI = http://ca.example.net/certs/example.net_Root_Certification_Authority.cert.pem # # CRL Download address for the root CA [ crl_dist ] fullname = URI:http://ca.example.net/crl/example.net_Root_Certification_Authority.crl # EOF ~~~ 2) Make sure the config is active: ~~~ $ export OPENSSL_CONF=./root-ca.cnf ~~~ 3) Generate CSR & Key: ~~~ $ openssl req -new -out root-ca.req.pem $ chmod 400 private/root-ca.key.pem ~~~ 4) Self-sign the Root certificate: ~~~ $ openssl rand -hex 16 > root-ca.serial $ openssl ca -selfsign -in root-ca.req.pem -out root-ca.cert.pem -extensions root-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +10years+1day` ~~~ 5) (Optional) Verify the cert: ~~~ $ openssl x509 -in ./root-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline $ openssl verify -verbose -CAfile root-ca.cert.pem root-ca.cert.pem ~~~ 6) Create IntermediateCA config file as follows: ~~~ $ cd example.net.ca/intermed-ca $ cat intermed-ca.cnf # # OpenSSL configuration for the Intermediate Certification Authority. # # # This definition doesn't work if HOME isn't defined. CA_HOME = . RANDFILE = $ENV::CA_HOME/private/.rnd oid_section = new_oids # # XMPP address Support [ new_oids ] xmppAddr = 1.3.6.1.5.5.7.8.5 dnsSRV = 1.3.6.1.5.5.7.8.7 # # Default Certification Authority [ ca ] default_ca = intermed_ca # # Intermediate Certification Authority [ intermed_ca ] dir = $ENV::CA_HOME certs = $dir/certs serial = $dir/intermed-ca.serial database = $dir/intermed-ca.index new_certs_dir = $dir/newcerts certificate = $dir/intermed-ca.cert.pem private_key = $dir/private/intermed-ca.key.pem default_days = 730 # Two years crl = $dir/crl/intermed-ca.crl crl_dir = $dir/crl crlnumber = $dir/intermed-ca.crlnum name_opt = multiline, align cert_opt = no_pubkey copy_extensions = copy crl_extensions = crl_ext default_crl_days = 30 default_md = sha256 preserve = no email_in_dn = no policy = policy unique_subject = no # # Distinguished Name Policy [ policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied # # Distinguished Name Policy for Personal Certificates [ user_policy ] countryName = supplied stateOrProvinceName = optional localityName = supplied organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = supplied #xmppAddr = optional # Added to SubjAltName by req # # Intermediate CA request options [ req ] default_bits = 3072 default_keyfile = private/intermed-ca.key.pem encrypt_key = yes default_md = sha256 string_mask = utf8only utf8 = yes prompt = no req_extensions = req_ext distinguished_name = distinguished_name subjectAltName = subject_alt_name # # Intermediate CA Request Extensions [ req_ext ] subjectKeyIdentifier = hash subjectAltName = @subject_alt_name # # Distinguished Name (DN) [ distinguished_name ] organizationName = example.net commonName = example.net Intermediate Certification Authority # # Server Certificate Extensions [ server_ext ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = critical, serverAuth, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # Client Certificate Extensions [ client_ext ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = critical, clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # User Certificate Extensions [ user_ext ] basicConstraints = CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = critical, clientAuth, emailProtection subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy authorityInfoAccess = @auth_info_access crlDistributionPoints = crl_dist # # CRL Certificate Extensions [ crl_ext ] authorityKeyIdentifier = keyid:always issuerAltName = issuer:copy # # Certificate Authorities Alternative Names [ subject_alt_name ] URI = http://ca.example.net/ email = certmaster # # Certificate download addresses for the intermediate CA [ auth_info_access ] caIssuers;URI = http://ca.example.net/certs/example.net_Intermediate_Certification_Authority.cert.pem # # CRL Download address for the intermediate CA [ crl_dist ] fullname = URI:http://ca.example.net/crl/example.net_Intermediate_Certification_Authority.crl # EOF ~~~ 7) Switch to the proper config: ~~~ $ export OPENSSL_CONF=./intermed-ca.cnf ~~~ 8) Generate CSR & Key: ~~~ $ openssl req -new -out intermed-ca.req.pem $ chmod 400 private/intermed-ca.key.pem ~~~ 9) Sign the IntermediateCA with the RootCA: ~~~ $ cp intermed-ca.req.pem /path/to/safe/storage/customCA/example.net.ca/root-ca/certreqs/ $ cd /path/to/safe/storage/customCA/example.net.ca/root-ca/ $ export OPENSSL_CONF=./root-ca.cnf $ openssl rand -hex 16 > root-ca.serial $ openssl ca -in certreqs/intermed-ca.req.pem -out certs/intermed-ca.cert.pem -extensions intermed-ca_ext -startdate `date +%y%m%d000000Z -u -d -1day` -enddate `date +%y%m%d000000Z -u -d +5years+1day` $ cp certs/intermed-ca.cert.pem /path/to/safe/storage/customCA/example.net.ca/intermed-ca/ ~~~ 10) (Optional) Verify the cert: ~~~ $ openssl x509 -in certs/intermed-ca.cert.pem -noout -text -certopt no_version,no_pubkey,no_sigdump -nameopt multiline $ openssl verify -verbose -CAfile root-ca.cert.pem certs/intermed-ca.cert.pem ~~~ 11) Create the custom Ingress wildcard certificate for our cluster: ~~~ $ cd /path/to/safe/storage/customCA/example.net.ca/intermed-ca $ export OPENSSL_CONF=./intermed-ca.cnf $ INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')" $ openssl genrsa -out example.key 2048 $ openssl req -new -key example.key -out example.csr -subj "/C=US/ST=NC/L=Raleigh/O=OCP4/OU=IT/CN=*.$INGRESS_DOMAIN" $ mv example.csr ./certreqs/ ~~~ 12) Sign the Server Cert with the IntermediateCA: ~~~ $ openssl rand -hex 16 > intermed-ca.serial $ openssl ca -in ./certreqs/example.csr -out ./certs/example.pem -extensions server_ext ~~~ ============================================================================================================================
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2805