The only differences I see are in key usage restrictions
The CA that is working in the second example has no key usage restrictions:
X509v3 extensions:
X509v3 Subject Key Identifier:
C4:23:88:A9:1D:CB:82:24:53:E4:61:32:46:15:E0:93:CE:3F:C2:DA
X509v3 Authority Key Identifier:
keyid:C4:23:88:A9:1D:CB:82:24:53:E4:61:32:46:15:E0:93:CE:3F:C2:DA
X509v3 Basic Constraints: critical
CA:TRUE
The self-signed+CA that is not working in the first example has key
restrictions that do not include "Certificate Sign", and extended key usage
restrictions of web server auth
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
You might try adding KeyUsageCertSign to the key usages and ExtKeyUsageAny
to the extended key usages to see if that makes the router happier with
your all-in-one cert.
On Sat, Jun 2, 2018 at 3:13 PM, Marc Boorshtein <[email protected]>
wrote:
> Something seems odd to be about setting up a route (origin 3.9), i can
> create a route with re-encrypt if the cert is signed by a self signed CA,
> but the route doesn't work if the destination certificate is self signed
> and marked as a CA. For example this destination certificate does NOT work
> with the router:
>
> -----BEGIN CERTIFICATE-----
> MIIDlTCCAn2gAwIBAgIGAWO2zOVIMA0GCSqGSIb3DQEBCwUAMG0xDDAKBgNVBAYT
> A2RldjEMMAoGA1UECBMDZGV2MQwwCgYDVQQHEwNkZXYxDDAKBgNVBAoTA2RldjEM
> MAoGA1UECxMDZGV2MSUwIwYDVQQDExx1bmlzb24tc2NhbGVqcy1yaC50cmVtb2xv
> LmlvMB4XDTE4MDUzMTAwMDAwMFoXDTI4MDUyODAwMDAwMFowbTEMMAoGA1UEBhMD
> ZGV2MQwwCgYDVQQIEwNkZXYxDDAKBgNVBAcTA2RldjEMMAoGA1UEChMDZGV2MQww
> CgYDVQQLEwNkZXYxJTAjBgNVBAMTHHVuaXNvbi1zY2FsZWpzLXJoLnRyZW1vbG8u
> aW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSaec22QonMOU2a/0y
> QwOduMlCwQEPMu8E2b1sNAiL5K22i+3i7ozE+/r4AyMAKjvc2TRbObbMrHDnJBgV
> WigkaTeSLWQdRol4WlgeFtbYH+S/vWxSsm2dAPpt8wZpuENa6ptK9khPa8n0IhLG
> O31UPTEyEIXg/cg20x1+cRcdMCVWSD7F1m3Ia4wvUuH7g21fWCy1ljkbPPMDqI+b
> DnrLzsJjgmE8rKbw9dYm7irc3Rgd1zW4Rv/2Wg1JeDWJ3CrWCZPouC2qh1PWgUU2
> sMs72cL9PPwHUnKHyBT7RwDXjEI0RjVPQ3jwdXnhaHel4npXP+ByYfaa0jGw4DxQ
> vHSTAgMBAAGjOzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMBYG
> A1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQANboUIllvD
> FRoBAOivn2N9BqRDS4c6JlPGZcApv0kr07+gjXziREh1+vUBUjBpCkX+oGWj2ZBe
> v714ewxI1Hyr5YG5i8aJEO32GANP+2yesSMLyPGIIKacBYhgctJiMZH+QtZBahqu
> jg87XXlIYwOGMAaelRjvJuqRFfkh5xYzCvHYxP26yOT9CqvEv5EsvCss13ZylIsb
> U1PX2Xu3FPu+LY2ayS+ZVPRL6J1GkIGO2LhWF00elVk1capS5c6i9Z/TbfjjN8SJ
> mYLEuOzeqjcbnxOZU6LzTECfU9SrFXTF3sh/iRqBWrJ69H1IJFpdLsT38a6N4+dZ
> yAIcbTIyOcaN
> -----END CERTIFICATE-----
>
>
> however, this cert does (and its corresponding CA):
>
> -----BEGIN CERTIFICATE-----
> MIIDHDCCAgSgAwIBAgIJANka1xITATPtMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
> BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMjM5WhcNMjgwNTMwMTkwMjM5WjBtMQww
> CgYDVQQGEwNkZXYxDDAKBgNVBAgTA2RldjEMMAoGA1UEBxMDZGV2MQwwCgYDVQQK
> EwNkZXYxDDAKBgNVBAsTA2RldjElMCMGA1UEAxMcdW5pc29uLXNjYWxlanMtcmgu
> dHJlbW9sby5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRahgUI
> umjSD0Yz6Fw/k0DFDDnmlekYLkFGgYz+Z2yxWUVOJo9VLWx0RbkUknul1NB//cW4
> lN8Wc7C9gfJJ7zI/v3C2L+N/3f2yp8xshmQzQB+xnjkZjuqXSgMIQWEUHnfaiM8C
> 1AmeQ07qFbssPnVzlBr7ukQMwU7StI64PDQ77HAT406lf7aVCvikMqKUf40LOaz3
> GtWP6bnGPhvMgYytbCysUUP5osLmQeEokxXul77fTeEfBtKX0ITpnZi+daUkFwXi
> 5NvckN2dZA7wZ+Vat/tZzfTYycHlUF3eWW/9T8cjV0L0V2uT3hXBuXwNw1CXeLcZ
> Gf2/8HL/yoXP6VUCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJ
> KoZIhvcNAQELBQADggEBAGu1HvIcINGpyCBXhqgmlafSqh7Huodx4tyHgeu0NTmD
> kf8iU7PGiWjk5L9SUBWJO+rvycU5GQ/+yH/tp9xir0uBh1iXOOoth0vPnL5HQcZ4
> VXPnmFylUYa3I5123OdCHuzVHlkD6bdiy6E/mT25XcwWpZL9wgjtE1RbDkLR7Gq/
> KVUN2KMnX9Eiewm47wXTnDw62eVrzhrApIuqLsMbabOQ2uUeoelE9c0agR6RLTng
> 50rCfj3MpjpfSZDR/Y9XWKizVMR0sqj0rYw+Mg6XhOzK/c20km6O+Km69Zh1BsdX
> LyXGd0Lf/1nSf3jG+h29NUCq3yp7U9iyVyL5Q4nNE6U=
> -----END CERTIFICATE-----
>
> ca:
>
> -----BEGIN CERTIFICATE-----
> MIIC+jCCAeKgAwIBAgIJAIiduSOLKh22MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
> BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMDIyWhcNMjgwNTMwMTkwMDIyWjASMRAw
> DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
> 48J8oKeAztHrL2Dk9o24TxrgX21uM6GcZKhdDPW7gMn9uYBYMsoaI7eZyYLxhxiV
> qG3WP1vgqpB00EbRdojoemdJ2os5rYz512BOlzNVjsgVE2Mgz/8cfV9pHWFp0dF9
> C36ZjhUy7yvUyMf8+ekEFdE6fOOu+JImhfKDEHYzohXNITeTtgKpUh6Rw0ZNNRgq
> 6lVGYt8P6P0xbMHCYICKoJKmlViSVlqkB0R7L+TFOpuNajyibqszlizJGZXotym7
> dLz9kIjPkksCl0jAERasacoFonJ8OtkR8G8rdlE+5hg7WAcy1C556mYsJ64ptLqW
> yoiOEQyjMkWXKMsaPX4rpwIDAQABo1MwUTAdBgNVHQ4EFgQUxCOIqR3LgiRT5GEy
> RhXgk84/wtowHwYDVR0jBBgwFoAUxCOIqR3LgiRT5GEyRhXgk84/wtowDwYDVR0T
> AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFfcxlzBIDQFwwIF92fXjIaQ1
> jqpQRHUwKd2w7/EXyp3f9xQ1+IqlMkQu/Ip0pxZPB2WRWP1tL7o0EetOm6X29h12
> be5yVovmx8DlaC0jTjwTDAOsSDHb4GlJv4pLjyDNmk/mtj3mW6UCYH4msWcIidYj
> 9d/neZnU4RftrtJzYZgcmpCK7xhdXqevoLo1X2b0gUlR/80DsEt37gBFAsp/EP/d
> 4yygBujWd3Q4d8nNzNVxkB7nXf2Wh0BrWadEKEsN8sukBNHZQ22KeI4YaBI92Mo3
> n24wdO7Q3bOmaEHPpVXnZJZKmYy8JNji22WmUi/Z3KD+0880ea+QGh+VC/gZuw==
> -----END CERTIFICATE-----
>
>
> Now the first cert is marked as a CA, so it SHOULD work (and the same
> process generates certs that the golang clients in openshift and k8s both
> work with OK). Is there a requirement I'm missing?
>
> Thanks
> Marc
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
