校验 TLS 证书

以校验 kubernetes 证书为例:

使用 openssl 命令

  1. $ openssl x509 -noout -text -in kubernetes.pem
  2. ...
  3.     Signature Algorithm: sha256WithRSAEncryption
  4.         Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
  5.         Validity
  6.             Not Before: Apr  5 05:36:00 2017 GMT
  7.             Not After : Apr  5 05:36:00 2018 GMT
  8.         Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
  9. ...
  10.         X509v3 extensions:
  11.             X509v3 Key Usage: critical
  12.                 Digital Signature, Key Encipherment
  13.             X509v3 Extended Key Usage:
  14.                 TLS Web Server Authentication, TLS Web Client Authentication
  15.             X509v3 Basic Constraints: critical
  16.                 CA:FALSE
  17.             X509v3 Subject Key Identifier:
  18.                 DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
  19.             X509v3 Authority Key Identifier:
  20.                 keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD
  22.             X509v3 Subject Alternative Name:
  23.                 DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
  24. ...
  • 确认 Issuer 字段的内容和 ca-csr.json 一致;
  • 确认 Subject 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Subject Alternative Name 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.jsonkubernetes profile 一致;

使用 cfssl-certinfo 命令

  1. $ cfssl-certinfo -cert kubernetes.pem
  2. ...
  3. {
  4.   "subject": {
  5.     "common_name": "kubernetes",
  6.     "country": "CN",
  7.     "organization": "k8s",
  8.     "organizational_unit": "System",
  9.     "locality": "BeiJing",
  10.     "province": "BeiJing",
  11.     "names": [
  12.       "CN",
  13.       "BeiJing",
  14.       "BeiJing",
  15.       "k8s",
  16.       "System",
  17.       "kubernetes"
  18.     ]
  19.   },
  20.   "issuer": {
  21.     "common_name": "Kubernetes",
  22.     "country": "CN",
  23.     "organization": "k8s",
  24.     "organizational_unit": "System",
  25.     "locality": "BeiJing",
  26.     "province": "BeiJing",
  27.     "names": [
  28.       "CN",
  29.       "BeiJing",
  30.       "BeiJing",
  31.       "k8s",
  32.       "System",
  33.       "Kubernetes"
  34.     ]
  35.   },
  36.   "serial_number": "174360492872423263473151971632292895707129022309",
  37.   "sans": [
  38.     "kubernetes",
  39.     "kubernetes.default",
  40.     "kubernetes.default.svc",
  41.     "kubernetes.default.svc.cluster",
  42.     "kubernetes.default.svc.cluster.local",
  43.     "127.0.0.1",
  44.     "10.64.3.7",
  45.     "10.64.3.8",
  46.     "10.66.3.86",
  47.     "10.254.0.1"
  48.   ],
  49.   "not_before": "2017-04-05T05:36:00Z",
  50.   "not_after": "2018-04-05T05:36:00Z",
  51.   "sigalg": "SHA256WithRSA",
  52. ...

校验证书是否被 CA 签名

  1. $ openssl verify -CAfile /etc/kubernetes/cert/ca.pem /etc/kubernetes/cert/kubernetes.pem
  2. /etc/kubernetes/cert/kubernetes.pem: OK
  4. $ openssl verify -CAfile ca_wrong.pem /etc/kubernetes/cert/kubernetes.pem
  5. /etc/kubernetes/cert/kubernetes.pem: C = CN, ST = BeiJing, L = BeiJing, O = k8s, OU = 4Paradigm, CN = kubernetes
  6. error 20 at 0 depth lookup:unable to get local issuer certificate