Current trust-bundle (ca-bundle.yaml) produces duplicate root CA entries #119
Comments
|
Linked to #117 |
jan94
changed the title
|
Pruning those The redundancy is functionally harmless because Ziti de-duplicates root CAs when they're aggregated to compute the well-known trust bundle that's used by clients to verify Ziti's server certs. I agree the opportunity to optimize here is a more readable and understandable Bundle template and resultant ConfigMap. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the ca-bundle has duplicate entries for each Root CA.
openssl storeutl -noout -text -certs ctrl-plane-cas.crt 0: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ziti-controller-ctrl-plane-root Validity Not Before: Jun 30 12:36:32 2023 GMT Not After : Jul 7 12:36:32 2033 GMT Subject: CN=ziti-controller-ctrl-plane-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 ... 1: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ziti-controller-ctrl-plane-root Validity Not Before: Jun 30 12:36:32 2023 GMT Not After : Jul 7 12:36:32 2033 GMT Subject: CN=ziti-controller-ctrl-plane-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 ... 2: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=tds-openziti-base-controller-edge-root Validity Not Before: Jun 30 12:36:34 2023 GMT Not After : Jul 7 12:36:34 2033 GMT Subject: CN=tds-openziti-base-controller-edge-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 3: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=tds-openziti-base-controller-edge-root Validity Not Before: Jun 30 12:36:34 2023 GMT Not After : Jul 7 12:36:34 2033 GMT Subject: CN=tds-openziti-base-controller-edge-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 ... 4: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ziti-controller-web-root Validity Not Before: Jun 30 12:36:32 2023 GMT Not After : Jul 7 12:36:32 2033 GMT Subject: CN=ziti-controller-web-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 ... 5: Certificate Certificate: Data: ... Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ziti-controller-web-root Validity Not Before: Jun 30 12:36:32 2023 GMT Not After : Jul 7 12:36:32 2033 GMT Subject: CN=ziti-controller-web-root Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ... Signature Algorithm: ecdsa-with-SHA256 ... Total found: 6Solution:
Remove the following secrets from the trust-bundle:
name: {{ include "ziti-controller.fullname" . }}-ctrl-plane-identity-secret
key: ca.crt
name: {{ include "ziti-controller.fullname" . }}-web-identity-secret
key: ca.crt
name: {{ include "ziti-controller.fullname" . }}-admin-client-secret
key: ca.crt
Also it would be good to directly include the root certs and not the intermediate ones - although this produces the same output , but it improves readability and clarity a lot. So the outcome would be that there are just the Root CA certs for ctrl-plane, web-identity and edge-signing.
The text was updated successfully, but these errors were encountered: