docs/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst


.. qtr1594910639395
.. _create-certificates-locally-using-cert-manager-on-the-controller:

================================================================
Create Certificates Locally using cert-manager on the Controller
================================================================

You can use :command:`cert-manager` to locally create certificates suitable
for use in a lab environment.

.. note::
    
    Ensure the certificates have RSA key length >= 2048 bits. The
    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
    requires a minimum of 2048-bit keys for RSA for better security / encryption
    strength.
    
    You can check the key length by running ``openssl x509 -in <the-certificate-file>
    -noout -text`` and looking for the "Public-Key" in the output. For more
    information see :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.

.. rubric:: |proc|

#.  Create a Root |CA| Certificate and Key.

    #.  Create a self-signing issuer.

        .. code-block:: none

            $ echo "
            apiVersion: cert-manager.io/v1
            kind: Issuer
            metadata:
              name: my-selfsigning-issuer
            spec:
              selfSigned: {}
            " | kubectl apply -f -


    #.  Create a Root CA certificate and key.

        .. code-block:: none

            $ echo "
            apiVersion: cert-manager.io/v1
            kind: Certificate
            metadata:
              name: my-rootca-certificate
            spec:
              secretName: my-rootca-certificate
              commonName: "my-rootca"
              isCA: true
              issuerRef:
                name: my-selfsigning-issuer
                kind: Issuer
            " | kubectl apply -f -

    #.  Create a Root CA Issuer.

        .. code-block:: none

            $ echo "
            apiVersion: cert-manager.io/v1
            kind: Issuer
            metadata:
              name: my-rootca-issuer
            spec:
              ca:
                secretName: my-rootca-certificate
            " | kubectl apply -f -

    #.  Create files for the Root CA certificate and key.

        .. code-block:: none

            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
            $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem

#.  Create and sign a Server Certificate and Key.

    #.  Create the Server certificate and key.

        .. code-block:: none

            $ echo "
            apiVersion: cert-manager.io/v1
            kind: Certificate
            metadata:
              name: my-server-certificate
            spec:
              secretName: my-server-certificate
              duration: 2160h # 90d
              renewBefore: 360h # 15d
              commonName: 1.1.1.1
              dnsNames:
              - myserver.wrs.com
              ipAddresses:
              - 1.1.1.1
              issuerRef:
                name: my-rootca-issuer
                kind: Issuer
            " | kubectl apply -f -

    #.  Create the |PEM| files for Server certificate and key.

        .. code-block:: none

            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
            $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem

    #.  Combine the server certificate and key into a single file.

        .. code-block:: none

            $ cat my-server-cert.pem my-server-key.pem > my-server.pem
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. qtr1594910639395`
			`.. _create-certificates-locally-using-cert-manager-on-the-controller:`

			`================================================================`
			`Create Certificates Locally using cert-manager on the Controller`
			`================================================================`

			You can use :command:`cert-manager` to locally create certificates suitable
			`for use in a lab environment.`

HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94 2023-07-14 11:31:15 +00:00			`.. note::`

			`Ensure the certificates have RSA key length >= 2048 bits. The`
			\|prod-long\| Release \|this-ver\| provides a new version of ``openssl`` which
			`requires a minimum of 2048-bit keys for RSA for better security / encryption`
			`strength.`

			You can check the key length by running ``openssl x509 -in <the-certificate-file>
			-noout -text`` and looking for the "Public-Key" in the output. For more
			information see :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.

Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`.. rubric:: \|proc\|`

			`#. Create a Root \|CA\| Certificate and Key.`

			`#. Create a self-signing issuer.`

			`.. code-block:: none`

			`$ echo "`
Platform Application Components updates cert-manager Story: 2009837 Task: 45638 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Icd792cc1daea5e2b451f66aa7ac366d627d647d5 2022-06-16 13:19:00 -03:00			`apiVersion: cert-manager.io/v1`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`kind: Issuer`
			`metadata:`
			`name: my-selfsigning-issuer`
			`spec:`
			`selfSigned: {}`
			`" \| kubectl apply -f -`


			`#. Create a Root CA certificate and key.`

			`.. code-block:: none`

			`$ echo "`
Platform Application Components updates cert-manager Story: 2009837 Task: 45638 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Icd792cc1daea5e2b451f66aa7ac366d627d647d5 2022-06-16 13:19:00 -03:00			`apiVersion: cert-manager.io/v1`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`kind: Certificate`
			`metadata:`
			`name: my-rootca-certificate`
			`spec:`
			`secretName: my-rootca-certificate`
			`commonName: "my-rootca"`
			`isCA: true`
			`issuerRef:`
			`name: my-selfsigning-issuer`
			`kind: Issuer`
			`" \| kubectl apply -f -`

			`#. Create a Root CA Issuer.`

			`.. code-block:: none`

			`$ echo "`
Platform Application Components updates cert-manager Story: 2009837 Task: 45638 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Icd792cc1daea5e2b451f66aa7ac366d627d647d5 2022-06-16 13:19:00 -03:00			`apiVersion: cert-manager.io/v1`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`kind: Issuer`
			`metadata:`
			`name: my-rootca-issuer`
			`spec:`
			`ca:`
			`secretName: my-rootca-certificate`
			`" \| kubectl apply -f -`

			`#. Create files for the Root CA certificate and key.`

			`.. code-block:: none`

			`$ kubectl get secret my-rootca-certificate -o yaml \| egrep "^ tls.crt:" \| awk '{print $2}' \| base64 --decode > my-rootca-cert.pem`
			`$ kubectl get secret my-rootca-certificate -o yaml \| egrep "^ tls.key:" \| awk '{print $2}' \| base64 --decode > my-rootca-key.pem`

			`#. Create and sign a Server Certificate and Key.`

			`#. Create the Server certificate and key.`

			`.. code-block:: none`

			`$ echo "`
Platform Application Components updates cert-manager Story: 2009837 Task: 45638 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Icd792cc1daea5e2b451f66aa7ac366d627d647d5 2022-06-16 13:19:00 -03:00			`apiVersion: cert-manager.io/v1`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`kind: Certificate`
			`metadata:`
			`name: my-server-certificate`
			`spec:`
			`secretName: my-server-certificate`
			`duration: 2160h # 90d`
			`renewBefore: 360h # 15d`
			`commonName: 1.1.1.1`
			`dnsNames:`
			`- myserver.wrs.com`
			`ipAddresses:`
			`- 1.1.1.1`
			`issuerRef:`
			`name: my-rootca-issuer`
			`kind: Issuer`
			`" \| kubectl apply -f -`

			`#. Create the \|PEM\| files for Server certificate and key.`

			`.. code-block:: none`

			`$ kubectl get secret my-server-certificate -o yaml \| egrep "^ tls.crt:" \| awk '{print $2}' \| base64 --decode > my-server-cert.pem`
			`$ kubectl get secret my-server-certificate -o yaml \| egrep "^ tls.key:" \| awk '{print $2}' \| base64 --decode > my-server-key.pem`

			`#. Combine the server certificate and key into a single file.`

			`.. code-block:: none`

			`$ cat my-server-cert.pem my-server-key.pem > my-server.pem`