Skip to content

Instantly share code, notes, and snippets.

Last active August 11, 2022 16:21
What would you like to do?
Handy tls/x.509 debugging notes
# If you need to export certs from a k8s secret
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.key"]' | base64 --decode > tls.key
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.crt"]' | base64 --decode > tls.crt
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["ca.crt"]' | base64 --decode > ca.crt
kubectl get secret/my-secret-cacert -ojson -n istio-system | jq -r '.data.cacert' | base64 --decode > chain.crt
# Create a mTLS server and connect to it with a client locally. This is useful
# for veryifying the entire stack of certificates work with each other. It will
# actually create a server listening on port 7569.
openssl s_server -accept 7569 -CAfile cacert.crt -cert tls.crt -key tls.key -Verify 10 -tls1_2 -state -quiet
openssl s_client -connect localhost:7569 -CAfile cachain.crt -cert tls.crt -key tls.key -tls1_2 -state -quiet
# Connect to mTLS using x.509 certs along with SNI
openssl s_client -connect {DOMAIN}:443 \
-servername {SNI_DOMAIN} \
-key key.pem \
-cert cert.pem \
-CAfile ca.pem \
-showcerts \
# Curl using x.509 certs w/ SNI
curl \
--key key.pem \
--cert cert.pem \
--cacert ca.pem \
# Verify a local cert (pem format)
openssl x509 -in cert.pem -text -noout
# Confirm a cert and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# grpcurl using x.509s and SNI (assuming service has a convential healthcheck ep):
grpcurl \
-cert=cert.pem \
-key=key.pem \
-cacert=ca.pem \
-servername {DOMAIN} \
-vv \
{DOMAIN}:443 \
# Issue x.509 certs from Vault
vault write the/full/path/approle/login role_id={ROLE_ID} secret_id={SECRET_ID}
vault write pki/issue/{ROLE_NAME} common_name={DOMAIN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment