Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: remove --san with root and intermediate cert generation #860

Merged
merged 3 commits into from
Dec 10, 2020
Merged

docs: remove --san with root and intermediate cert generation #860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cecb2cf
docs: remove `--san` with root and intermediate cert generation
Pothulapati Nov 16, 2020
ffac80b
Merge branch 'master' into tarun/san-fix
Pothulapati Nov 19, 2020
4cfadf5
Merge branch 'master' into tarun/san-fix
alpeb Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion linkerd.io/content/2/tasks/automatically-rotating-control-plane-tls-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ pair and store it in a Kubernetes Secret in the namespace created above:

```bash
step certificate create identity.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure --san identity.linkerd.cluster.local &&
--profile root-ca --no-password --insecure &&
kubectl create secret tls \
linkerd-trust-anchor \
--cert=ca.crt \
Expand Down
4 changes: 2 additions & 2 deletions linkerd.io/content/2/tasks/generate-certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ First generate the root certificate with its private key (using `step` version

```bash
step certificate create identity.linkerd.cluster.local ca.crt ca.key \
--profile root-ca --no-password --insecure --san identity.linkerd.cluster.local
--profile root-ca --no-password --insecure
```

This generates the `ca.crt` and `ca.key` files. The `ca.crt` file is what you
Expand All @@ -49,7 +49,7 @@ Then generate the intermediate certificate and key pair that will be used to
sign the Linkerd proxies' CSR.

```bash
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure --san identity.linkerd.cluster.local
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure
```

This will generate the `issuer.crt` and `issuer.key` files.
Expand Down
4 changes: 2 additions & 2 deletions linkerd.io/content/2/tasks/installing-multicluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,10 +254,10 @@ Now, you'll want to create a new trust anchor and issuer for the new cluster:

```bash
step certificate create identity.linkerd.cluster.local root.crt root.key \
--profile root-ca --no-password --insecure --san identity.linkerd.cluster.local
--profile root-ca --no-password --insecure
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca root.crt --ca-key root.key --san identity.linkerd.cluster.local
--ca root.crt --ca-key root.key
```

{{< note >}} We use the [step cli](https://smallstep.com/cli/) to generate
Expand Down
4 changes: 2 additions & 2 deletions linkerd.io/content/2/tasks/manually-rotating-control-plane-tls-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ anchor rotation steps.
First, generate a new trust anchor certificate and private key:

```bash
step certificate create identity.linkerd.cluster.local ca-new.crt ca-new.key --profile root-ca --no-password --insecure --san identity.linkerd.cluster.local
step certificate create identity.linkerd.cluster.local ca-new.crt ca-new.key --profile root-ca --no-password --insecure
```

Note that we use `--no-password --insecure` to avoid encrypting these files
Expand Down Expand Up @@ -217,7 +217,7 @@ linkerd-identity-data-plane
To rotate the issuer certificate and key pair, first generate a new pair:

```bash
step certificate create identity.linkerd.cluster.local issuer-new.crt issuer-new.key --ca ca-new.crt --ca-key ca-new.key --profile intermediate-ca --not-after 8760h --no-password --insecure --san identity.linkerd.cluster.local
step certificate create identity.linkerd.cluster.local issuer-new.crt issuer-new.key --ca ca-new.crt --ca-key ca-new.key --profile intermediate-ca --not-after 8760h --no-password --insecure
```

Provided that the trust anchor has not expired and that, if recently rotated,
Expand Down
4 changes: 2 additions & 2 deletions linkerd.io/content/2/tasks/multicluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ generate the trust anchor with step, you can run:

```bash
step certificate create identity.linkerd.cluster.local root.crt root.key \
--profile root-ca --no-password --insecure --san identity.linkerd.cluster.local
--profile root-ca --no-password --insecure
```

This certificate will form the common base of trust between all your clusters.
Expand All @@ -90,7 +90,7 @@ using the trust anchor, run:
```bash
step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
--profile intermediate-ca --not-after 8760h --no-password --insecure \
--ca root.crt --ca-key root.key --san identity.linkerd.cluster.local
--ca root.crt --ca-key root.key
```

An `identity` service in your cluster will use the certificate and key that you
Expand Down