Merge pull request ceph#63162 from Kushal-deb/fix_issue-2323601-trust-both-sites-rgw-certs-from-a-node

mgr/cephadm: include cluster FSID in root CA Common Name (CN)

Reviewed-by: Adam King <[email protected]>
Reviewed-by: Redouane Kachach <[email protected]>

Author: adk3798

src/pybind/mgr/cephadm/ssl_cert_utils.py

@@ -137,7 +137,7 @@ def generate_root_cert(
         root_public_key = self.root_key.public_key()
         root_builder = x509.CertificateBuilder()
         root_ca_name = x509.Name([
-            x509.NameAttribute(NameOID.COMMON_NAME, u'cephadm-root'),
+            x509.NameAttribute(NameOID.COMMON_NAME, f'cephadm-root-{self.cluster_fsid}'),
         ])
         root_builder = root_builder.subject_name(root_ca_name)
         root_builder = root_builder.issuer_name(root_ca_name)
@@ -197,11 +197,8 @@ def generate_cert(
         public_key = private_key.public_key()
 
         builder = x509.CertificateBuilder()
-        root_ca_name = x509.Name([
-            x509.NameAttribute(NameOID.COMMON_NAME, u'cephadm-root'),
-        ])
         builder = builder.subject_name(x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, addrs[0]), ]))
-        builder = builder.issuer_name(root_ca_name)
+        builder = builder.issuer_name(self.get_root_issuer_name())
         builder = builder.not_valid_before(datetime.now())
         builder = builder.not_valid_after(datetime.now() + timedelta(days=self.certificate_duration_days))
         builder = builder.serial_number(x509.random_serial_number())
@@ -298,6 +295,11 @@ def get_root_cert(self) -> str:
         except AttributeError:
             return ''
 
+    def get_root_issuer_name(self) -> x509.Name:
+        if not self.root_cert:
+            raise SSLConfigException("Root certificate not initialized.")
+        return self.root_cert.subject
+
     def get_root_key(self) -> str:
         try:
             return self.root_key.private_bytes(