-
-
Save sgordon46/3ddf4eb8c8e6ee263248f6eb0a9df5a0 to your computer and use it in GitHub Desktop.
Client-Cert-auth-for-console
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## For client cert authentication, TLS must terminate on the Console. | |
## If you have TLS termination on the LoadBalancers, client cert auth will not work as the certificates are not passed to the console. | |
## Below are the sample steps to POC client cert authentication. | |
## Generate rootCA priv key for signing | |
$ openssl genrsa -out rootCA.key 4096 | |
## self sign rootCA | |
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt | |
## Create User Private Key | |
$ openssl genrsa -out certificate.key 4096 | |
## Create csrconfig.txt, This file will be used in the next step to avoid interactive prompts. | |
## Also note commonName will matching the username in the Console | |
[ req ] | |
default_md = sha512 | |
prompt = no | |
req_extensions = req_ext | |
distinguished_name = req_distinguished_name | |
[ req_distinguished_name ] | |
commonName = sgordon | |
countryName = US | |
stateOrProvinceName = LA | |
localityName = NO | |
organizationName = TL | |
[ req_ext ] | |
keyUsage=critical,digitalSignature,keyEncipherment | |
extendedKeyUsage=clientAuth | |
## Create CSR for user cert | |
$ openssl req -new -nodes -key certificate.key -config csrconfig.txt -out certificate.csr | |
## verify the request - optional step | |
$ openssl req -in certificate.csr -noout -text | |
## Issue Cert from CSR and rootCA | |
$ openssl x509 -req -in certificate.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days 365 -extensions req_ext -out certificate.crt | |
## Create .pem file | |
$ cat certificate.crt certificate.key > certificate.pem | |
You also need to follow this documentation to add rootCA.crt to your Console | |
https://docs.twistlock.com/docs/compute_edition/configure/authenticate_console_with_certs.html | |
## Test connection with either pem file or crt and key in separate files. | |
$ curl -k -X POST --cert certificate.pem https://localhost:8083/api/v1/authenticate-client -v | |
$ curl -k -X POST --cert certificate.crt --key certificate.key https://localhost:8083/api/v1/authenticate-client -v | |
## For this to work in your browser, you need to add a pfx file to your browser or keychain. Step below to create pfx and prepare for import. | |
$ openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment