Skip to content

Console: add time left to certificates #1130

Jump to bottom
Allan Roger Reid edited this page Feb 8, 2023 · 4 revisions

Pull Request

https://github.com/minio/console/pull/2628

Issues

https://github.com/miniohq/engineering/issues/1130

Tests

Setup

apt-get install openssl -y

Create CA

openssl req -x509 \
            -sha256 -days 300 \
            -nodes \
            -newkey rsa:2048 \
            -subj "/CN=min.io/C=US/L=San Fransisco" \
            -keyout rootCA.key -out rootCA.crt

Create server private key

openssl genrsa -out server.key 2048

Create Certificate Signing Request Configuration

cat > csr.conf <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = California
L = San Fransisco
O = MinIO Inc.
OU = HQ
CN = min.io

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = min.io
IP.1 = 127.0.0.1

EOF

Generate Certificate Signing Request (CSR) Using Server Private Key

openssl req -new -key server.key -out server.csr -config csr.conf

Create a external file

cat > cert.conf <<EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = min.io

EOF

Generate SSL certificate With self signed CA

Expired

apt-get install faketime
faketime '2000-01-01 00:00:00' \
openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out server-expired.crt \
    -days 1 \
    -sha256 -extfile cert.conf

Validate expired

openssl x509 -noout -text -in server-expired.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:19:b0:86:7a:ce:b6:ae:d2:e1:7f:92:66:8b:bf:0c:73:10:e9:e7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = min.io, C = US, L = San Fransisco
        Validity
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Jan  2 00:00:00 2000 GMT
        Subject: C = US, ST = California, L = San Fransisco, O = MinIO Inc., OU = HQ, CN = min.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:db:0d:ee:7e:1b:44:5b:45:b4:b0:7d:e3:a9:
                    f6:47:f2:b3:24:f7:bb:d6:98:1f:fe:2a:a4:cc:a7:
                    15:b0:08:a7:2b:17:34:52:5a:78:5f:96:9b:20:88:
                    26:b3:ca:a9:87:de:2e:a4:32:11:d0:3e:61:a5:63:
                    d0:e3:36:ca:86:ef:33:7a:8f:47:d6:da:ef:4c:8d:
                    44:ac:d8:e7:22:f2:a6:03:15:4a:c5:b2:7c:08:25:
                    80:0a:75:1c:36:79:7e:3e:b1:0d:ad:bd:6f:55:22:
                    e8:70:43:e1:a6:d1:e5:54:b6:aa:f1:9a:e3:7a:4a:
                    d5:5a:d2:7b:31:22:a4:25:73:02:3d:2a:43:e0:57:
                    13:44:aa:b3:75:54:e7:4e:2d:2d:03:9c:32:30:62:
                    b3:15:3a:99:78:56:e7:12:83:db:a8:cb:db:f2:48:
                    3b:66:04:36:c5:7d:95:9d:09:1a:fb:70:eb:9e:3d:
                    88:a0:c4:97:bd:75:55:6d:9f:da:74:57:6c:66:21:
                    01:cc:9e:90:89:b4:71:9d:29:8d:5b:33:cc:99:10:
                    3d:e0:bb:9f:fd:d6:d6:7f:d1:e8:7d:77:43:9c:ab:
                    0a:fe:18:12:32:b0:f7:b7:0a:27:90:20:11:48:63:
                    8d:c8:cb:2e:45:d2:4c:38:f6:3b:64:3d:e2:de:2b:
                    bc:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                C0:8A:32:DE:F4:0A:67:80:99:56:7C:75:F7:CB:77:89:31:EB:BD:79
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name: 
                DNS:min.io
            X509v3 Subject Key Identifier: 
                DD:C4:11:D3:42:46:C7:71:3B:6A:4A:23:46:7E:5D:DE:97:DD:48:BE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5c:26:84:09:8f:f2:51:be:cb:06:37:1c:61:a2:d3:25:d4:bb:
        f8:c6:b0:c6:c8:27:d8:2c:32:52:12:bd:74:52:03:b0:b2:9b:
        dd:6a:71:a4:c8:ab:8c:fa:cc:b6:8b:4a:9b:c8:1a:05:48:23:
        29:35:f0:dd:b7:28:ec:23:67:2d:48:fb:3c:34:01:1f:c0:ba:
        e9:c2:7b:3c:b5:16:1c:24:b9:c5:d5:a6:4c:07:58:17:ec:b8:
        5f:d2:7a:91:54:2d:62:aa:eb:c8:82:ae:eb:3f:10:74:39:e8:
        45:92:fb:da:50:c9:c0:73:e3:0d:cc:1f:d7:b0:5c:29:6a:34:
        7c:1b:6b:d5:43:b7:e3:b4:ba:50:22:c2:53:2a:65:ed:4e:db:
        b7:1a:db:d5:e5:3a:04:2a:12:6f:a4:3b:1e:67:a4:4a:ba:bc:
        ff:a4:66:f8:48:df:45:69:47:99:ff:1b:11:e9:e5:42:58:c4:
        b1:9b:79:a7:a5:27:a9:79:1d:f9:71:31:ee:e9:cf:7e:2b:73:
        ae:bd:8c:37:c5:ad:68:2f:9d:a7:73:14:ac:fd:2d:c5:ad:cc:
        04:7b:c0:b1:06:1e:3d:4a:52:c7:be:87:b4:e4:64:a3:5f:a7:
        9e:dc:3e:61:3e:27:2b:af:35:23:a0:3d:99:3e:45:57:91:79:
        43:b8:65:80

In Console

image

Create 1 day-to-expiry certificate and key

openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out 1-day-expiring.crt \
    -days 1 \
    -sha256 -extfile cert.conf

In Console

image

Create 9 day-to-expiry certificate and key

openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out 9-day-expiring.crt \
    -days 9 \
    -sha256 -extfile cert.conf

In Console

image

Create 29 day-to-expiry certificate and key

openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out 29-day-expiring.crt \
    -days 29 \
    -sha256 -extfile cert.conf

In Console

image

Create 300 day-to-expiry certificate and key

openssl x509 -req \
    -in server.csr \
    -CA rootCA.crt -CAkey rootCA.key \
    -CAcreateserial -out 300-day-expiring.crt \
    -days 300 \
    -sha256 -extfile cert.conf

In Console

image
Clone this wiki locally