generate-and-test-mtls.sh

#!/bin/bash
set -e
function get_secret {
  VAR=".data[\"$1\"]"
  kubectl -n istio-system get secret istio-ca-secret -o json | jq -r $VAR | base64 --decode
}

function clean {
  # Cleanup database
  rm -f ca/index.txt*
  rm -f ca/serial.txt
  # Cleanup old requests
  rm -f client.csr
  rm -f 01.pem
}

mkdir -p ./certs/ca
cd certs
clean

echo "Getting root certificates from istio..."
get_secret "ca-cert.pem" > ca/ca-cert.pem
get_secret "ca-key.pem" > ca/ca-key.pem

echo "Generating CSR..."
openssl req -new -newkey rsa:2048 -nodes -config openssl.cnf -subj "/" -outform pem -out client.csr -keyout client.key

echo "Signing CSR using CA key..."
touch ca/index.txt
echo '01' > ca/serial.txt
openssl ca -batch -config openssl-ca.cnf -policy signing_policy -out client.pem -infiles client.csr
clean

echo "Testing key works..."
echo "Looking up service ip..."
SERVICE_IP=$(kubectl get service -l app=at-consumer-platform | tail -n 1 | awk '{print $4}')
echo "Using ip: $SERVICE_IP"

docker run --rm -it -v $PWD:/etc/certs byrnedo/alpine-curl -kv https://$SERVICE_IP:80 --key /etc/certs/client.key --cert /etc/certs/client.pem --cacert /etc/certs/ca/ca-cert.pem

This gist is about creating a certificate signed by the istio service mesh ca.

My particular use case is that I have a poly cloud setup where we have some older devices (on prem) wanting to connect to the istio service mesh, but I can't run the istio agent on them. As such I wanted to generate some slightly longer lived certificates to use on those devices until such a time as they are properly integrated.

Make sure you do mkdir certs, and create these two config files in there first.

./certs/openssl.cnf =

[ req ]
default_bits            = 2048
encrypt_key             = no
default_md              = sha256
distinguished_name      = req_distinguished_name
req_extensions          = v3_req

[ req_distinguished_name ]
countryName            = GB
stateOrProvinceName    = Manchester
localityName           = Manchester
organizationName       = Your Org
organizationalUnitName = Your OU
commonName             = ISTIO_LONG_LIVED

[ v3_req ]
extendedKeyUsage        = clientAuth, codeSigning
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alt_names
basicConstraints        = CA:FALSE

[ alt_names ]
URI=spiffe://cluster.local/ns/default/sa/default

[ dir_sect ]
C=GB
O=YourOrg
OU=SomeOU
CN=SomeCN

./certs/openssl-ca.cnf =

[ ca ]
default_ca      = CA_default

[ signing_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = optional
emailAddress           = optional

[ CA_default ]
base_dir        = .
certificate     = $base_dir/ca/ca-cert.pem   # The CA certifcate
private_key     = $base_dir/ca/ca-key.pem    # The CA private key
new_certs_dir   = $base_dir                  # Location for new certs after signing
database        = $base_dir/ca/index.txt     # Database index file
serial          = $base_dir/ca/serial.txt    # The current serial number
copy_extensions = copy
default_md      = sha1
default_days    = 365
unique_subject  = no