mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-04-14 18:35:37 +00:00
79 lines
3.4 KiB
HTML
79 lines
3.4 KiB
HTML
<h3 id="pem">How Do I Know if My Certificates are in PEM Format?</h3>
|
|
|
|
<p>You can recognize the PEM format by the following traits:</p>
|
|
<ul>
|
|
<li>The file begins with the following header:<br/> <code>-----BEGIN CERTIFICATE-----</code></li>
|
|
<li>The header is followed by a long string of characters. Like, really long.</li>
|
|
<li>The file ends with a footer:<br/> <code>-----END CERTIFICATE-----</code></li>
|
|
</ul>
|
|
|
|
<p><strong>PEM Certificate Example:</strong></p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
----BEGIN CERTIFICATE-----
|
|
MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
|
|
... more lines
|
|
VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
|
|
-----END CERTIFICATE-----
|
|
</pre>
|
|
|
|
<p><strong>PEM Certificate Key Example:</strong></p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
|
|
... more lines
|
|
VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
|
|
-----END RSA PRIVATE KEY-----
|
|
</pre>
|
|
|
|
<p>If your key looks like the example below, see <a href="#convert-pkcs8">How Can I Convert My Certificate Key From PKCS8 to PKCS1?</a><p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIGVDCCBDygAwIBAgIJAMiIrEm29kRLMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
|
|
... more lines
|
|
VWQqljhfacYPgp8KJUJENQ9h5hZ2nSCrI+W00Jcw4QcEdCI8HL5wmg==
|
|
-----END PRIVATE KEY-----
|
|
</pre>
|
|
|
|
<h3 id="convert-pkcs8">How Can I Convert My Certificate Key From PKCS8 to PKCS1?</h3>
|
|
|
|
<p>If you are using a PKCS8 certificate key file, Rancher will log the following line:</p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
ListenConfigController cli-config [listener] failed with : failed to read private key: asn1: structure error: tags don't match (2 vs {class:0 tag:16 length:13 isCompound:true})
|
|
</pre>
|
|
|
|
<p>To make this work, you will need to convert the key from PKCS8 to PKCS1 using the command below:</p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
openssl rsa -in key.pem -out convertedkey.pem
|
|
</pre>
|
|
|
|
<p>You can now use <code>convertedkey.pem</code> as certificate key file for Rancher.</p>
|
|
|
|
<h3 id="cert-order">What is the Order of Certificates if I Want to Add My Intermediate(s)?</h3>
|
|
|
|
<p>The order of adding certificates is as follows:</p>
|
|
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
-----BEGIN CERTIFICATE-----
|
|
%YOUR_CERTIFICATE%
|
|
-----END CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
%YOUR_INTERMEDIATE_CERTIFICATE%
|
|
-----END CERTIFICATE-----
|
|
</pre>
|
|
|
|
<h3 id="validate-cert-chain">How Do I Validate My Certificate Chain?</h3>
|
|
|
|
<p>You can validate the certificate chain by using the <code>openssl</code> binary. If the output of the command (see the command example below) ends with <code>Verify return code: 0 (ok)</code>, your certificate chain is valid. The <code>ca.pem</code> file must be the same as you added to the <code>rancher/rancher</code> container. When using a certificate signed by a recognized Certificate Authority, you can omit the <code>-CAfile</code> parameter.</p>
|
|
|
|
<h5>Command:</h5>
|
|
<pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
|
|
openssl s_client -CAfile ca.pem -connect rancher.yourdomain.com:443
|
|
...
|
|
Verify return code: 0 (ok)
|
|
</pre>
|