openssl x509 -in /var/lib/minikube/certs/etcd/peer.crt -textCertificate:
Data:
Version: 3 (0x2)
Serial Number: 809360150158301925 (0xb3b6cc4b58adae5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: May 8 01:21:03 2025 GMT
Not After : May 8 01:26:03 2026 GMT
Subject: CN = minikube
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:74:b8:50:07:d3:78:19:0d:3c:a1:26:99:94:
e9:ad:36:37:9c:2e:c3:e9:54:e4:00:a6:6d:fb:0e:
41:92:51:7a:ab:be:ea:32:77:07:1e:61:b3:6e:21:
1c:ea:49:55:93:16:24:44:76:91:80:4e:cc:fa:2e:
1d:78:f5:e5:aa:b8:13:ef:b2:5e:4c:31:a5:a4:43:
86:6c:bf:0a:55:c0:65:5d:a6:11:93:e8:1e:07:69:
7b:e8:e6:e5:8a:aa:7f:c8:25:a7:e6:14:b1:9f:8b:
3b:64:e6:3e:8b:c6:ee:98:e7:29:31:3f:1c:39:29:
fd:ac:5b:ae:a8:22:d2:b8:d7:b3:c0:00:6a:93:c2:
5c:1e:e5:31:6f:2b:0b:00:77:e2:7d:55:53:f7:c2:
43:72:85:19:d3:b4:b6:97:16:91:dd:3d:a2:49:f6:
37:a4:61:e1:26:b6:ad:18:3a:88:bb:3f:e0:c0:ce:
1e:f0:b4:22:e1:b1:cb:e0:fa:d3:b4:3f:42:b8:ae:
42:50:22:72:3e:b8:27:12:7f:18:5f:e5:0e:55:2f:
6c:83:48:d9:5d:77:24:b0:9e:f9:b7:5f:29:ae:2b:
81:14:59:43:5b:26:ae:5e:a2:96:e3:a2:79:ec:45:
02:07:8a:0e:55:ac:12:a6:f4:01:89:19:d7:5a:b9:
9a:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
4B:2B:F0:C6:74:0D:34:0C:7F:87:9D:A7:8A:02:B5:7B:26:59:D9:6B
X509v3 Subject Alternative Name:
DNS:localhost, DNS:minikube, IP Address:192.168.49.2, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
73:99:47:e1:6c:bd:44:18:c9:15:e5:bd:14:2c:48:b6:dc:5f:
fd:cf:67:8c:2a:00:d9:85:28:a8:1a:dd:67:f0:95:b3:e9:ec:
f0:d0:67:7e:ed:cd:f9:cc:e0:6a:6a:ac:03:0a:f8:cd:9c:6e:
44:48:bc:2b:32:7f:f7:1e:c0:97:f2:e4:24:d1:a5:e8:95:96:
83:e9:92:68:43:87:d8:dd:d6:6d:b1:50:00:5c:e4:d8:da:0c:
e8:32:7d:ec:47:33:30:ab:8f:ac:19:df:83:f9:84:61:36:49:
e3:69:68:e1:62:ba:9c:2b:16:f7:15:54:6d:7e:c0:66:be:e4:
3c:54:60:c1:45:12:4b:9d:3a:37:63:29:ac:dc:30:74:4a:59:
ad:fd:69:e8:2e:83:4e:0d:c8:3b:1d:4e:08:a4:16:32:c1:84:
96:41:97:ef:cd:d3:75:39:75:5a:39:3b:e3:59:f5:a8:59:10:
d6:93:a6:b5:d9:83:d7:6c:5e:12:0f:3b:75:4e:ca:2c:b9:d2:
0b:54:f7:9a:e9:2a:7e:56:57:da:62:b5:89:ce:15:99:cc:68:
5d:8d:72:a5:fd:05:07:43:7e:e4:0b:e5:56:cb:bf:cd:1b:0b:
8b:08:de:20:8a:b2:39:9d:ac:d1:2c:e5:68:9e:97:c2:33:be:
61:3b:d1:6f
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIICztsxLWK2uUwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHZXRjZC1jYTAeFw0yNTA1MDgwMTIxMDNaFw0yNjA1MDgwMTI2MDNaMBMxETAP
BgNVBAMTCG1pbmlrdWJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
2XS4UAfTeBkNPKEmmZTprTY3nC7D6VTkAKZt+w5BklF6q77qMncHHmGzbiEc6klV
kxYkRHaRgE7M+i4dePXlqrgT77JeTDGlpEOGbL8KVcBlXaYRk+geB2l76Obliqp/
yCWn5hSxn4s7ZOY+i8bumOcpMT8cOSn9rFuuqCLSuNezwABqk8JcHuUxbysLAHfi
fVVT98JDcoUZ07S2lxaR3T2iSfY3pGHhJratGDqIuz/gwM4e8LQi4bHL4PrTtD9C
uK5CUCJyPrgnEn8YX+UOVS9sg0jZXXcksJ75t18priuBFFlDWyauXqKW46J57EUC
B4oOVawSpvQBiRnXWrma9QIDAQABo4GfMIGcMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRLK/DGdA00DH+HnaeKArV7JlnZazA8BgNVHREENTAzgglsb2NhbGhvc3SC
CG1pbmlrdWJlhwTAqDEChwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3
DQEBCwUAA4IBAQBzmUfhbL1EGMkV5b0ULEi23F/9z2eMKgDZhSioGt1n8JWz6ezw
0Gd+7c35zOBqaqwDCvjNnG5ESLwrMn/3HsCX8uQk0aXolZaD6ZJoQ4fY3dZtsVAA
XOTY2gzoMn3sRzMwq4+sGd+D+YRhNknjaWjhYrqcKxb3FVRtfsBmvuQ8VGDBRRJL
nTo3Yyms3DB0Slmt/WnoLoNODcg7HU4IpBYywYSWQZfvzdN1OXVaOTvjWfWoWRDW
k6a12YPXbF4SDzt1TsosudILVPea6Sp+VlfaYrWJzhWZzGhdjXKl/QUHQ37kC+VW
y7/NGwuLCN4girI5nazRLOVonpfCM75hO9Fv
-----END CERTIFICATE-----
Okay, let’s break down this TLS certificate output from the openssl x509 -in /var/lib/minikube/certs/etcd/peer.crt -text command. This output shows the details of an X.509 certificate, which is the standard format for TLS/SSL certificates.
Here’s what each part means:
Certificate:
Data:
This is the start of the main certificate data block. It contains all the information about the certificate itself.
Version: 3 (0x2)
This indicates the version of the X.509 standard the certificate complies with. Version 3 is the most common and supports extensions.
Serial Number: 809360150158301925 (0xb3b6cc4b58adae5)
This is a unique identifier assigned to this specific certificate by the issuing Certificate Authority (CA). The number is shown in both decimal and hexadecimal format.
Signature Algorithm: sha256WithRSAEncryption
This specifies the algorithm used by the CA to sign the certificate. Here, it’s SHA-256 (a hashing algorithm) combined with RSA (an encryption/signing algorithm). This ensures the integrity and authenticity of the certificate data.
Issuer: CN = etcd-ca
This identifies the entity that issued this certificate. CN stands for Common Name. In this case, the issuer is an entity named “etcd-ca”. This is likely the Certificate Authority within your minikube environment that created this certificate for the etcd peer.
Validity
Not Before: May 8 01:21:03 2025 GMT
Not After : May 8 01:26:03 2026 GMT
This specifies the time period during which the certificate is considered valid.
Not Before: The date and time before which the certificate is not valid.Not After: The date and time after which the certificate is not valid. Certificates outside of their validity period will be rejected by TLS clients.
Subject: CN = minikube
This identifies the entity the certificate is issued to. In this case, the subject’s Common Name is “minikube”. This is the identity that this certificate represents.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
... (hexadecimal data)
Exponent: 65537 (0x10001)
This section contains the public key associated with the certificate’s subject (“minikube”).
Public Key Algorithm: Specifies the type of public key algorithm used, which is RSA in this case.Public-Key: (2048 bit): Indicates the size of the RSA key, which is 2048 bits.ModulusandExponent: These are the mathematical components of the RSA public key. The modulus is a large number, and the exponent is typically a smaller number (65537 is common). Together, they are used for encrypting data that can only be decrypted by the corresponding private key.
X509v3 extensions:
This section lists standard and non-standard extensions that provide additional information about the certificate and how it should be used. Version 3 certificates allow for these extensions.
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
This extension defines the purpose(s) for which the public key contained in the certificate can be used.
critical: This flag indicates that if a TLS client doesn’t understand this extension, it must reject the certificate.Digital Signature: Allows the public key to be used to verify digital signatures.Key Encipherment: Allows the public key to be used to encrypt symmetric keys, which are then used for encrypting the actual data in a TLS session.
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
This extension provides more specific use cases for the public key, beyond the general Key Usage.
TLS Web Server Authentication: Allows the certificate to be used by a server to authenticate itself to a client during a TLS handshake (e.g., for HTTPS).TLS Web Client Authentication: Allows the certificate to be used by a client to authenticate itself to a server during a TLS handshake. This certificate is configured for both server and client authentication.
X509v3 Basic Constraints: critical
CA:FALSE
This extension indicates whether the subject of the certificate is a Certificate Authority and is allowed to issue other certificates.
critical: If a client doesn’t understand this, it must reject the certificate.CA:FALSE: This is not a CA certificate. It is an end-entity certificate, meaning it is issued to a specific service or user and cannot be used to sign other certificates.
X509v3 Authority Key Identifier:
4B:2B:F0:C6:74:0D:34:0C:7F:87:9D:A7:8A:02:B5:7B:26:59:D9:6B
This extension provides a way to identify the public key of the CA that issued this certificate. This helps in building and verifying the certificate chain. It’s a hash or identifier of the issuer’s public key.
X509v3 Subject Alternative Name:
DNS:localhost, DNS:minikube, IP Address:192.168.49.2, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
This crucial extension lists alternative names or identities for the certificate’s subject. When a client connects to a server using TLS, it checks if the hostname or IP address it’s trying to connect to is listed in either the Subject’s Common Name or, more importantly, in the Subject Alternative Name extension.
DNS:localhost,DNS:minikube: Specifies valid domain names for this certificate.IP Address:...: Specifies valid IP addresses for this certificate. This certificate is valid for connections tolocalhost,minikube,192.168.49.2,127.0.0.1, and[::1](the IPv6 loopback address).
Signature Algorithm: sha256WithRSAEncryption
This reiterates the algorithm used to sign the certificate (by the issuer).
Signature Value:
... (hexadecimal data)
This is the actual digital signature created by the CA using its private key over the Data part of the certificate. A TLS client uses the CA’s public key (from the CA’s certificate) and the Signature Algorithm to verify this signature. If the signature is valid, it confirms that the certificate was indeed issued by the claimed CA and that the certificate data hasn’t been tampered with.
-----BEGIN CERTIFICATE-----
... (Base64 encoded data)
-----END CERTIFICATE-----
This is the certificate itself in PEM (Privacy-Enhanced Mail) format. It’s the standard way to represent X.509 certificates in ASCII text. The text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the Base64 encoding of the certificate’s binary (DER) data. This is the format you would typically share or install.
In summary, this certificate is for a component named “minikube” within an environment managed by an internal CA “etcd-ca”. It’s valid for a year starting May 8, 2025, and contains a 2048-bit RSA public key. It’s designed for both server and client authentication and is valid for connecting to localhost, minikube, and specific IP addresses. The CA has signed this certificate using SHA-256 with RSA to ensure its authenticity.