Files

Ron Stone b7e75df19b Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5)

Add note as include
Add include where renewBefore is mentioned
Address patchset 1 review comments

Closes-Bug: 2042545

Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9
Signed-off-by: Ron Stone <ronald.stone@windriver.com>

2023-11-07 15:03:24 +00:00

3.8 KiB

Raw Blame History

Create Certificates Locally using cert-manager on the Controller

You can use cert-manager to locally create certificates suitable for use in a lab environment.

Note

Ensure the certificates have RSA key length >= 2048 bits. The Release provides a new version of openssl which requires a minimum of 2048-bit keys for RSA for better security / encryption strength.

You can check the key length by running openssl x509 -in <the-certificate-file> -noout -text and looking for the "Public-Key" in the output. For more information see Create Certificates Locally using openssl <create-certificates-locally-using-openssl>.

Create a Root Certificate and Key.

Create a self-signing issuer.

$ echo "
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-selfsigning-issuer
spec:
  selfSigned: {}
" | kubectl apply -f -

Create a Root CA certificate and key.

$ echo "
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-rootca-certificate
spec:
  secretName: my-rootca-certificate
  commonName: "my-rootca"
  isCA: true
  issuerRef:
    name: my-selfsigning-issuer
    kind: Issuer
" | kubectl apply -f -

Create a Root CA Issuer.

$ echo "
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-rootca-issuer
spec:
  ca:
    secretName: my-rootca-certificate
" | kubectl apply -f -

Create files for the Root CA certificate and key.

$ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem

Create and sign a Server Certificate and Key.

Create the Server certificate and key.

$ echo "
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-server-certificate
spec:
  secretName: my-server-certificate
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  commonName: 1.1.1.1
  dnsNames:
  - myserver.wrs.com
  ipAddresses:
  - 1.1.1.1
  issuerRef:
    name: my-rootca-issuer
    kind: Issuer
" | kubectl apply -f -

Create the files for Server certificate and key.

$ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
$ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem

Combine the server certificate and key into a single file.

$ cat my-server-cert.pem my-server-key.pem > my-server.pem

3.8 KiB Raw Blame History

Create Certificates Locally using cert-manager on the Controller

3.8 KiB

Raw Blame History