Skip to content

Instantly share code, notes, and snippets.

@psaia
Last active July 19, 2023 19:02
Show Gist options
  • Save psaia/da59b10da5f28b583f75712ea2e250b4 to your computer and use it in GitHub Desktop.
Save psaia/da59b10da5f28b583f75712ea2e250b4 to your computer and use it in GitHub Desktop.
Handy tls/x.509 debugging notes
# If you need to export certs from a k8s secret
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.key"]' | base64 --decode > tls.key
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.crt"]' | base64 --decode > tls.crt
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["ca.crt"]' | base64 --decode > ca.crt
kubectl get secret/my-secret-cacert -ojson -n istio-system | jq -r '.data.cacert' | base64 --decode > chain.crt
# Create a mTLS server and connect to it with a client locally. This is useful
# for veryifying the entire stack of certificates work with each other. It will
# actually create a server listening on port 7569.
openssl s_server -accept 7569 -CAfile cacert.crt -cert tls.crt -key tls.key -Verify 10 -tls1_2 -state -quiet
openssl s_client -connect localhost:7569 -CAfile cachain.crt -cert tls.crt -key tls.key -tls1_2 -state -quiet
# Connect to mTLS using x.509 certs along with SNI
openssl s_client -connect {DOMAIN}:443 \
-servername {SNI_DOMAIN} \
-key key.pem \
-cert cert.pem \
-CAfile ca.pem \
-showcerts \
-debug
# Curl using x.509 certs w/ SNI
curl \
--key key.pem \
--cert cert.pem \
--cacert ca.pem \
--resolve {DOMAIN}:443:{RESOLVABLE_IP_ADDRESS} \
https://{DOMAIN}
# Verify a cert + ca
openssl verify -verbose -show_chain -CAfile ca.pem cert.crt
# View details of a local cert (pem format)
openssl x509 -in cert.pem -text -noout
# Confirm a cert and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# grpcurl using x.509s and SNI (assuming service has a convential healthcheck ep):
grpcurl \
-cert=cert.pem \
-key=key.pem \
-cacert=ca.pem \
-servername {DOMAIN} \
-vv \
{DOMAIN}:443 \
grpc.health.v1.Health/Check
# Issue x.509 certs from Vault
vault write the/full/path/approle/login role_id={ROLE_ID} secret_id={SECRET_ID}
export VAULT_TOKEN={THE_TOKEN}
vault write pki/issue/{ROLE_NAME} common_name={DOMAIN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment