Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--peer-auto-tls cert is valid only for 1 year, is there a way to set expiry date? #13208

Closed
sreenandan opened this issue Jul 12, 2021 · 1 comment
Labels

Comments

@sreenandan
Copy link

sreenandan commented Jul 12, 2021

2 questions:

  1. How to set the expiry of peer certificate when using --peer-auto-tls?
  2. If point 1 above is not possible, can you please give me cfssl command to generate my own cert just like --peer-auto-tls?
    I tried https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md and certs come with Signature Algorithm: sha256WithRSAEncryption and it wont work because of ip mismatch.
    So, basically my question here is how to use cfssl command to generate the certs just like --peer-auto-tls?

[root@cscale-82-119 tmp]# openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ab:3b:c4:b3:11:d0:12:bf:96:c4:54:d8:99:0f:27:a8
Signature Algorithm: ecdsa-with-SHA512
Issuer: O=etcd
Validity
Not Before: Jul 10 07:06:08 2021 GMT
Not After : Jul 10 07:06:08 2022 GMT
Subject: O=etcd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:34:b2:ef:a0:6e:51:c8:f3:b2:a4:35:24:b7:
12:eb:56:fb:5b:ee:23:b1:7c:10:0b:90:00:82:ed:
86:11:90:41:eb:0f:dd:f8:1b:8b:61:b7:1c:ac:7e:
c0:78:61:e4:0a:ec:63:cc:4f:5b:d3:8d:9f:62:e7:
f1:2f:63:1a:87:95:32:01:3b:4c:65:69:15:9a:7b:
21:26:60:50:1e:6b:79:8e:bb:95:18:9e:9b:ba:f0:
2f:f5:b5:14:68:8e:9c:f2:a5:b6:b5:c3:c0:5a:79:
0b:83:ff:6c:cb:c3:05:ea:50:05:a2:6a:c9:c5:22:
63:83:d9:e5:1a:0f:6f:58:49:08:21:d0:a8
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
IP Address:0.0.0.0
Signature Algorithm: ecdsa-with-SHA512
30:81:88:02:42:01:d2:0f:11:10:db:11:34:ef:9d:af:1c:5c:
2e:a3:f1:f3:84:68:e9:84:08:12:f8:d3:30:43:23:01:04:01:
92:92:50:95:a9:b2:d0:1e:50:e4:2f:40:be:f2:90:fb:ea:b8:
75:b4:83:78:d0:c2:dd:29:e4:42:08:01:af:4a:2f:e4:9f:02:
42:01:be:b9:06:fa:ec:53:7c:e5:0e:8c:46:e4:83:fa:7e:9d:
5e:6a:d8:5f:9e:9e:ce:22:63:7e:ef:39:bd:2f:b0:96:e6:f3:
c9:64:be:48:2a:7b:99:f1:c9:f4:91:e5:7c:61:60:2f:2b:37:
dc:cc:3b:b1:19:80:0f:62:e7:24:a2:31:28

@stale
Copy link

stale bot commented Oct 11, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 11, 2021
@stale stale bot closed this as completed Nov 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

1 participant