diff --git a/pkg/kubenest/constants/constant.go b/pkg/kubenest/constants/constant.go index 678893f52..f15d9440b 100644 --- a/pkg/kubenest/constants/constant.go +++ b/pkg/kubenest/constants/constant.go @@ -35,7 +35,7 @@ const ( RsaKeySize = 2048 KeyExtension = ".key" CertExtension = ".crt" - CertificateValidity = time.Hour * 24 * 365 + CertificateValidity = time.Hour * 24 * 365 * 100 CaCertAndKeyName = "ca" VirtualClusterCertAndKeyName = "virtualCluster" VirtualClusterSystemNamespace = "virtualCluster-system" diff --git a/pkg/kubenest/util/cert/certs.go b/pkg/kubenest/util/cert/certs.go index 82fa06521..c74a77a3c 100644 --- a/pkg/kubenest/util/cert/certs.go +++ b/pkg/kubenest/util/cert/certs.go @@ -358,7 +358,7 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) { return nil, fmt.Errorf("unable to create private key while generating CA certificate, err: %w", err) } - cert, err := certutil.NewSelfSignedCACert(cc.Config, key) + cert, err := NewSelfSignedCACert(cc.Config, key) if err != nil { return nil, fmt.Errorf("unable to create self-signed CA certificate, err: %w", err) } @@ -376,6 +376,30 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) { }, nil } +// NewSelfSignedCACert creates a CA certificate +func NewSelfSignedCACert(cfg certutil.Config, key crypto.Signer) (*x509.Certificate, error) { + now := time.Now() + tmpl := x509.Certificate{ + SerialNumber: new(big.Int).SetInt64(0), + Subject: pkix.Name{ + CommonName: cfg.CommonName, + Organization: cfg.Organization, + }, + DNSNames: []string{cfg.CommonName}, + NotBefore: now.UTC(), + NotAfter: now.Add(constants.CertificateValidity).UTC(), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + BasicConstraintsValid: true, + IsCA: true, + } + + certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key) + if err != nil { + return nil, err + } + return x509.ParseCertificate(certDERBytes) +} + func CreateCertAndKeyFilesWithCA(cc *CertConfig, caCertData, caKeyData []byte) (*VirtualClusterCert, error) { if len(cc.Config.Usages) == 0 { return nil, fmt.Errorf("must specify at least one ExtKeyUsage")