Create Certificates Locally using cert-manager on the Controller¶
You can use cert-manager to locally create certificates suitable for use in a lab environment.
Note
Ensure the certificates have RSA key length >= 2048 bits. The
StarlingX Release r9.0 provides a new version of openssl
which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running openssl x509 -in <the-certificate-file>
-noout -text
and looking for the “Public-Key” in the output. For more
information see Create Certificates Locally using openssl.
Procedure
Create a Root CA Certificate and Key.
Create a self-signing issuer.
$ echo " apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-selfsigning-issuer spec: selfSigned: {} " | kubectl apply -f -
Create a Root CA certificate and key.
$ echo " apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-rootca-certificate spec: secretName: my-rootca-certificate commonName: "my-rootca" isCA: true issuerRef: name: my-selfsigning-issuer kind: Issuer " | kubectl apply -f -
Create a Root CA Issuer.
$ echo " apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: my-rootca-issuer spec: ca: secretName: my-rootca-certificate " | kubectl apply -f -
Create files for the Root CA certificate and key.
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
Create and sign a Server Certificate and Key.
Create the Server certificate and key.
$ echo " apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-server-certificate spec: secretName: my-server-certificate duration: 2160h # 90d renewBefore: 360h # 15d commonName: 1.1.1.1 dnsNames: - myserver.wrs.com ipAddresses: - 1.1.1.1 issuerRef: name: my-rootca-issuer kind: Issuer " | kubectl apply -f -
Note
The Certificate usage of Cert-manager Documentation (https://cert-manager.io/docs/usage/certificate/) states that one should “Take care when setting the
renewBefore
field to be very close to the duration as this can lead to a renewal loop, where the Certificate is always in the renewal period.”In the light of the statement above, you must not set
renewBefore
to a value very close to the “duration” value, such as a renewBefore of 29 days and a duration of 30 days. Instead, you could set values such as renewBefore=15 days and duration=30 days to avoid renewal loops.Create the PEM files for Server certificate and key.
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
Combine the server certificate and key into a single file.
$ cat my-server-cert.pem my-server-key.pem > my-server.pem