f843d3daa4
General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
3.7 KiB
Create Certificates Locally using cert-manager on the Controller
You can use cert-manager to locally create certificates
suitable for use in a lab environment.
Note
Ensure the certificates have RSA key length >= 2048 bits. The
Release provides a new version of openssl which requires a
minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running
openssl x509 -in <the-certificate-file> -noout -text
and looking for the "Public-Key" in the output. For more information see
Create Certificates Locally using openssl <create-certificates-locally-using-openssl>.
- Create a Root Certificate and Key.
Create a self-signing issuer.
$ echo " apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-selfsigning-issuer spec: selfSigned: {} " | kubectl apply -f -Create a Root CA certificate and key.
$ echo " apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-rootca-certificate spec: secretName: my-rootca-certificate commonName: "my-rootca" isCA: true issuerRef: name: my-selfsigning-issuer kind: Issuer " | kubectl apply -f -Create a Root CA Issuer.
$ echo " apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-rootca-issuer spec: ca: secretName: my-rootca-certificate " | kubectl apply -f -Create files for the Root CA certificate and key.
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
- Create and sign a Server Certificate and Key.
Create the Server certificate and key.
$ echo " apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-server-certificate spec: secretName: my-server-certificate duration: 2160h # 90d renewBefore: 360h # 15d commonName: 1.1.1.1 dnsNames: - myserver.wrs.com ipAddresses: - 1.1.1.1 issuerRef: name: my-rootca-issuer kind: Issuer " | kubectl apply -f -Create the files for Server certificate and key.
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pemCombine the server certificate and key into a single file.
$ cat my-server-cert.pem my-server-key.pem > my-server.pem