From cecb2cf9853ddf1d6cc580600447611e3616da86 Mon Sep 17 00:00:00 2001 From: Tarun Pothulapati Date: Mon, 16 Nov 2020 11:58:17 +0530 Subject: [PATCH] docs: remove `--san` with root and intermediate cert generation Fixes https://github.com/linkerd/linkerd2/issues/5228, #858 Signed-off-by: Tarun Pothulapati --- .../automatically-rotating-control-plane-tls-credentials.md | 2 +- linkerd.io/content/2/tasks/generate-certificates.md | 4 ++-- linkerd.io/content/2/tasks/installing-multicluster.md | 4 ++-- .../tasks/manually-rotating-control-plane-tls-credentials.md | 4 ++-- linkerd.io/content/2/tasks/multicluster.md | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/linkerd.io/content/2/tasks/automatically-rotating-control-plane-tls-credentials.md b/linkerd.io/content/2/tasks/automatically-rotating-control-plane-tls-credentials.md index 954c14e04c..01261fe0f7 100644 --- a/linkerd.io/content/2/tasks/automatically-rotating-control-plane-tls-credentials.md +++ b/linkerd.io/content/2/tasks/automatically-rotating-control-plane-tls-credentials.md @@ -58,7 +58,7 @@ pair and store it in a Kubernetes Secret in the namespace created above: ```bash step certificate create identity.linkerd.cluster.local ca.crt ca.key \ - --profile root-ca --no-password --insecure --san identity.linkerd.cluster.local && + --profile root-ca --no-password --insecure && kubectl create secret tls \ linkerd-trust-anchor \ --cert=ca.crt \ diff --git a/linkerd.io/content/2/tasks/generate-certificates.md b/linkerd.io/content/2/tasks/generate-certificates.md index 8f809868e7..c3391914fa 100644 --- a/linkerd.io/content/2/tasks/generate-certificates.md +++ b/linkerd.io/content/2/tasks/generate-certificates.md @@ -29,7 +29,7 @@ First generate the root certificate with its private key (using `step` version ```bash step certificate create identity.linkerd.cluster.local ca.crt ca.key \ ---profile root-ca --no-password --insecure --san identity.linkerd.cluster.local +--profile root-ca --no-password --insecure ``` This generates the `ca.crt` and `ca.key` files. The `ca.crt` file is what you @@ -49,7 +49,7 @@ Then generate the intermediate certificate and key pair that will be used to sign the Linkerd proxies' CSR. ```bash -step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure --san identity.linkerd.cluster.local +step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure ``` This will generate the `issuer.crt` and `issuer.key` files. diff --git a/linkerd.io/content/2/tasks/installing-multicluster.md b/linkerd.io/content/2/tasks/installing-multicluster.md index 76a901f565..07510a181d 100644 --- a/linkerd.io/content/2/tasks/installing-multicluster.md +++ b/linkerd.io/content/2/tasks/installing-multicluster.md @@ -252,10 +252,10 @@ Now, you'll want to create a new trust anchor and issuer for the new cluster: ```bash step certificate create identity.linkerd.cluster.local root.crt root.key \ - --profile root-ca --no-password --insecure --san identity.linkerd.cluster.local + --profile root-ca --no-password --insecure step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \ --profile intermediate-ca --not-after 8760h --no-password --insecure \ - --ca root.crt --ca-key root.key --san identity.linkerd.cluster.local + --ca root.crt --ca-key root.key ``` {{< note >}} We use the [step cli](https://smallstep.com/cli/) to generate diff --git a/linkerd.io/content/2/tasks/manually-rotating-control-plane-tls-credentials.md b/linkerd.io/content/2/tasks/manually-rotating-control-plane-tls-credentials.md index deb7617968..9e83f5f472 100644 --- a/linkerd.io/content/2/tasks/manually-rotating-control-plane-tls-credentials.md +++ b/linkerd.io/content/2/tasks/manually-rotating-control-plane-tls-credentials.md @@ -105,7 +105,7 @@ anchor rotation steps. First, generate a new trust anchor certificate and private key: ```bash -step certificate create identity.linkerd.cluster.local ca-new.crt ca-new.key --profile root-ca --no-password --insecure --san identity.linkerd.cluster.local +step certificate create identity.linkerd.cluster.local ca-new.crt ca-new.key --profile root-ca --no-password --insecure ``` Note that we use `--no-password --insecure` to avoid encrypting these files @@ -211,7 +211,7 @@ linkerd-identity-data-plane To rotate the issuer certificate and key pair, first generate a new pair: ```bash -step certificate create identity.linkerd.cluster.local issuer-new.crt issuer-new.key --ca ca-new.crt --ca-key ca-new.key --profile intermediate-ca --not-after 8760h --no-password --insecure --san identity.linkerd.cluster.local +step certificate create identity.linkerd.cluster.local issuer-new.crt issuer-new.key --ca ca-new.crt --ca-key ca-new.key --profile intermediate-ca --not-after 8760h --no-password --insecure ``` Provided that the trust anchor has not expired and that, if recently rotated, diff --git a/linkerd.io/content/2/tasks/multicluster.md b/linkerd.io/content/2/tasks/multicluster.md index d659458ee8..f9da4a8999 100644 --- a/linkerd.io/content/2/tasks/multicluster.md +++ b/linkerd.io/content/2/tasks/multicluster.md @@ -71,7 +71,7 @@ generate the trust anchor with step, you can run: ```bash step certificate create identity.linkerd.cluster.local root.crt root.key \ - --profile root-ca --no-password --insecure --san identity.linkerd.cluster.local + --profile root-ca --no-password --insecure ``` This certificate will form the common base of trust between all your clusters. @@ -90,7 +90,7 @@ using the trust anchor, run: ```bash step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \ --profile intermediate-ca --not-after 8760h --no-password --insecure \ - --ca root.crt --ca-key root.key --san identity.linkerd.cluster.local + --ca root.crt --ca-key root.key ``` An `identity` service in your cluster will use the certificate and key that you