Open in app

Sign in

Write

Sign in

OpenSSL and Secrets in Kubernetes

j3ffyang
2 min readNov 15, 2021

--

Objective: use openssl to manage certificate and key where are configured in secrets in Kubernetes cluster

Bundled Chain Certificate

  • The bundled certificate contains certificate of hostSelf, intermediate and CAroot, 3 parts, chained in one single chained cert.pem
  • The correct order of bundled certificates is: hostSelf (top) > intermediate cert > CAroot cert (bottom)

openssl crl2pkcs7 - Validate the chained certificates

user@debian:~/$ openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs -noout
subject=CN = sub.domain.comissuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
subject=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CAissuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authorityissuer=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

openssl x509 -dates - Check certificate validated period

openssl x509 -dates -noout < /path/fullchain.pem
notBefore=Nov 14 08:49:01 2021 GMT
notAfter=Feb 12 08:49:00 2022 GMT

openssl s_client - Verify the deployed certificate in Nginx web-server in Kubernetes

user@debian:~$ openssl s_client -showcerts -connect 10.0.10.18:32160
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = sub.domain.com
verify return:1
---
Certificate chain
 0 s:CN = sub.domain.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGSTCCBTGgAwIBAgIQQ9ytVSnDH7HqTBzJ3ZYdxTANBgkqhkiG9w0BAQsFADCB
...

Where 10.0.10.18 is one of the worker node with nginx-ingress-controller deployed and 32160 is nodePort configured in service/nginx-ingress-controller

user@node1:~/$ kubectl -n shared get svc | grep nginx-ingress-controller
nginx-ingress-controller           NodePort    10.233.33.142   <none>        80:31500/TCP,443:32160/TCP   8d

The output of openssl s_client -showcerts should be exactly the same as the above result from openssl crl2pkcs7

Kubernetes
Openssl
Opensource
Certificate

--

--

j3ffyang
j3ffyang

Written by j3ffyang

143 Followers
320 Following

ardent linux user, opensource, kubernetes containerization, blockchain, data security. handler of @analyticsource and @j3ffyang

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams