Skip to content

Commit 4d356d1

Browse files
joelanfordperdasilva
joelanford
authored and
perdasilva
committed
improve CA and certificate generation (#2834)
Recently during an audit on a user's cluster, it was discovered that OLM's certificate generation functionality has a few minor shortcomings. 1) The generated CA and server cert do not include a common name, which causes some tooling to have trouble tracing the cert chain. 2) The generated CA and server cert include unnecessary key usages, which means those certificates can be used for more than their intended purposes. This commit resolves the above issues by ensuring the certificates include common names and by using the minimal key usages necessary. Signed-off-by: Joe Lanford <[email protected]> Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274 Upstream-repository: operator-lifecycle-manager
1 parent fd42910 commit 4d356d1

File tree

2 files changed

+8
-8
lines changed
  • staging/operator-lifecycle-manager/pkg/controller/certs
  • vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs

2 files changed

+8
-8
lines changed

staging/operator-lifecycle-manager/pkg/controller/certs/certs.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,13 +71,13 @@ func GenerateCA(notAfter time.Time, organization string) (*KeyPair, error) {
7171
caDetails := &x509.Certificate{
7272
SerialNumber: serial,
7373
Subject: pkix.Name{
74+
CommonName: fmt.Sprintf("olm-selfsigned-%x", serial),
7475
Organization: []string{organization},
7576
},
7677
NotBefore: notBefore,
7778
NotAfter: notAfter,
7879
IsCA: true,
79-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
80-
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
80+
KeyUsage: x509.KeyUsageCertSign,
8181
BasicConstraintsValid: true,
8282
}
8383

@@ -120,12 +120,12 @@ func CreateSignedServingPair(notAfter time.Time, organization string, ca *KeyPai
120120
certDetails := &x509.Certificate{
121121
SerialNumber: serial,
122122
Subject: pkix.Name{
123+
CommonName: hosts[0],
123124
Organization: []string{organization},
124125
},
125126
NotBefore: notBefore,
126127
NotAfter: notAfter,
127-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
128-
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
128+
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
129129
BasicConstraintsValid: true,
130130
DNSNames: hosts,
131131
}

vendor/github.com/operator-framework/operator-lifecycle-manager/pkg/controller/certs/certs.go

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)