psaia/tls_notes.sh

## tls_notes.sh
# If you need to export certs from a k8s secret
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.key"]' | base64 --decode > tls.key
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["tls.crt"]' | base64 --decode > tls.crt
kubectl get secret/my-secret -n istio-system -ojson | jq -r '.data["ca.crt"]' | base64 --decode > ca.crt
kubectl get secret/my-secret-cacert -ojson -n istio-system | jq -r '.data.cacert' | base64 --decode > chain.crt

# Create a mTLS server and connect to it with a client locally. This is useful
# for veryifying the entire stack of certificates work with each other. It will
# actually create a server listening on port 7569.
openssl s_server -accept 7569 -CAfile cacert.crt -cert tls.crt -key tls.key -Verify 10 -tls1_2 -state -quiet
openssl s_client -connect localhost:7569 -CAfile cachain.crt -cert tls.crt -key tls.key -tls1_2 -state -quiet

# Connect to mTLS using x.509 certs along with SNI
openssl s_client -connect {DOMAIN}:443 \
	-servername {SNI_DOMAIN} \
	-key key.pem \
	-cert cert.pem \
	-CAfile ca.pem \
	-showcerts \
	-debug

# Curl using x.509 certs w/ SNI
curl \
	--key key.pem \
	--cert cert.pem \
	--cacert ca.pem \
	--resolve {DOMAIN}:443:{RESOLVABLE_IP_ADDRESS} \
	https://{DOMAIN}

# Verify a cert + ca
openssl verify -verbose -show_chain -CAfile ca.pem cert.crt

# View details of a local cert (pem format)
openssl x509 -in cert.pem -text -noout

# Confirm a cert and key match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5

# grpcurl using x.509s and SNI (assuming service has a convential healthcheck ep):
grpcurl \
	-cert=cert.pem \
	-key=key.pem \
	-cacert=ca.pem \
	-servername {DOMAIN} \
	-vv \
	{DOMAIN}:443 \
	grpc.health.v1.Health/Check

# Issue x.509 certs from Vault
vault write the/full/path/approle/login role_id={ROLE_ID} secret_id={SECRET_ID}
export VAULT_TOKEN={THE_TOKEN}
vault write pki/issue/{ROLE_NAME} common_name={DOMAIN}
	# If you need to export certs from a k8s secret
	kubectl get secret/my-secret -n istio-system -ojson \| jq -r '.data["tls.key"]' \| base64 --decode > tls.key
	kubectl get secret/my-secret -n istio-system -ojson \| jq -r '.data["tls.crt"]' \| base64 --decode > tls.crt
	kubectl get secret/my-secret -n istio-system -ojson \| jq -r '.data["ca.crt"]' \| base64 --decode > ca.crt
	kubectl get secret/my-secret-cacert -ojson -n istio-system \| jq -r '.data.cacert' \| base64 --decode > chain.crt

	# Create a mTLS server and connect to it with a client locally. This is useful
	# for veryifying the entire stack of certificates work with each other. It will
	# actually create a server listening on port 7569.
	openssl s_server -accept 7569 -CAfile cacert.crt -cert tls.crt -key tls.key -Verify 10 -tls1_2 -state -quiet
	openssl s_client -connect localhost:7569 -CAfile cachain.crt -cert tls.crt -key tls.key -tls1_2 -state -quiet

	# Connect to mTLS using x.509 certs along with SNI
	openssl s_client -connect {DOMAIN}:443 \
	-servername {SNI_DOMAIN} \
	-key key.pem \
	-cert cert.pem \
	-CAfile ca.pem \
	-showcerts \
	-debug

	# Curl using x.509 certs w/ SNI
	curl \
	--key key.pem \
	--cert cert.pem \
	--cacert ca.pem \
	--resolve {DOMAIN}:443:{RESOLVABLE_IP_ADDRESS} \
	https://{DOMAIN}

	# Verify a cert + ca
	openssl verify -verbose -show_chain -CAfile ca.pem cert.crt

	# View details of a local cert (pem format)
	openssl x509 -in cert.pem -text -noout

	# Confirm a cert and key match
	openssl x509 -noout -modulus -in cert.pem \| openssl md5
	openssl rsa -noout -modulus -in key.pem \| openssl md5

	# grpcurl using x.509s and SNI (assuming service has a convential healthcheck ep):
	grpcurl \
	-cert=cert.pem \
	-key=key.pem \
	-cacert=ca.pem \
	-servername {DOMAIN} \
	-vv \
	{DOMAIN}:443 \
	grpc.health.v1.Health/Check

	# Issue x.509 certs from Vault
	vault write the/full/path/approle/login role_id={ROLE_ID} secret_id={SECRET_ID}
	export VAULT_TOKEN={THE_TOKEN}
	vault write pki/issue/{ROLE_NAME} common_name={DOMAIN}