Multiple Certficiation Authority certificates (?)

Question

I have created a kubernetes cluster on aws using kops.

Unless I am wrong, the ca.crt and ca.key files are in the following locations as indicated by this very helpful answer:

   - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
   - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt

However, I coulnd't help noticing that in my ~/.kube/config file (which was created automatically by kops), I have an entry named:

certificate-authority-data

whose contents are different than both of the above files.

What is in any case the CA key/crt pairs we should use when issuing client certificates?

Why there are (seemingly) more than one CAs ?

Answer 1

Ok this is weird ... (perhaps for an inexperienced on such issues like me ...)

When I perform:

echo -n <contents_of_the_certificate-authority-data_entry_of_my_kubeconfig_file> | base64 --decode

...I get my ca.crt file ...

Isn't the ca.crt already base64 encoded?

Answer 2

The certificate-authority-data present on your Kubernetes config file is nothing else that your certificate encoded in base64 (It's a lot more practical to have a continuous text string for a configuration file than without the base64 encoding).

Your .crt file is encoded in RSA, not base64. RSA is a secure cryptosystem based on public and private keys (your .crt and .key respectively). Base64, is, at best, useful for formatting or transmitting already encrypted data.