Spoofed SSL, sign with AWS Private CA, launch on Kube
This breaks device trust model and makes app believe it is a legit server since signed by a trusted private CA
Make a new
csr.conf.
Add necessary detailsmake a new private key: openssl genrsa -out api.key 2048
Request a new certificate signing request (CSR):
openssl req -new -key api.key -out spoofed.csr -config csr.conf
Assume the AWS role that allows access to ACM PCA
aws acm-pca issue-certificate \ --profile assume-cross-acct \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:XXXXXX:certificate-authority/XXXXXXXXX \ --csr fileb://spoofed.csr \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=30,Type="DAYS" \ --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1
This will issue a new signed certificate arn
Get the cert and store locally
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:XXXXXX:certificate-authority/XXXXX --certificate-arn arn:aws:acm-pca:us-west-2:XXXX:certificate-authority/XXXXX/certificate/
redactedId
--output text > api.crt
Open that api.crt and make sure that the chained certificate we have are in two separate lines. For example:
Once done, upload all this to EC2/server where Kubernetes is running
Kubernetes has different pods that do different things.
app-tls
pod generally takes care of TLS handling. This is where communication comes and data decrypts and the backend server running at pods like app-api on like port 3000 take care of the logic. app-tls has SSL certificate installed. Our aim is to replace this with our signed cert app-ingress has config of which app-tls secret to send communicationt to.On Kubernetes: a. Create a new secret: k3s kubectl create secret tls my-valid-tls --key api.key --cert api.crt -n default b. Edit the ingress rule app where app-tls receives connection from and forwards to app-tls. This is where we have configured which app-tls secret to use k3s kubectl edit ingress app-ingress -n default Look for the line that says app-tls (or spec.tls.secretName) and replace with out secret "my-valid-tls"
That;s it, your server on Kubernetes will now use your spoofed cert.
You can also create your own CA and sign your cert with it.
Last updated
Was this helpful?