Create Certificates Locally using cert-manager on the Controller

You can use cert-manager to locally create certificates suitable for use in a lab environment.

Note

Ensure the certificates have RSA key length >= 2048 bits. The StarlingX Release r9.0 provides a new version of openssl which requires a minimum of 2048-bit keys for RSA for better security / encryption strength.

You can check the key length by running openssl x509 -in <the-certificate-file> -noout -text and looking for the “Public-Key” in the output. For more information see Create Certificates Locally using openssl.

Procedure

1. Create a Root CA Certificate and Key.

   1. Create a self-signing issuer.

      $ echo "
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: my-selfsigning-issuer
      spec:
        selfSigned: {}
      " | kubectl apply -f -
      

   2. Create a Root CA certificate and key.

      $ echo "
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: my-rootca-certificate
      spec:
        secretName: my-rootca-certificate
        commonName: "my-rootca"
        isCA: true
        issuerRef:
          name: my-selfsigning-issuer
          kind: Issuer
      " | kubectl apply -f -
      

   3. Create a Root CA Issuer.

      $ echo "
      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: my-rootca-issuer
      spec:
        ca:
          secretName: my-rootca-certificate
      " | kubectl apply -f -
      

   4. Create files for the Root CA certificate and key.

      $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
      $ kubectl get secret my-rootca-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
      

2. Create and sign a Server Certificate and Key.

   1. Create the Server certificate and key.

      $ echo "
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: my-server-certificate
      spec:
        secretName: my-server-certificate
        duration: 2160h # 90d
        renewBefore: 360h # 15d
        commonName: 1.1.1.1
        dnsNames:
        - myserver.wrs.com
        ipAddresses:
        - 1.1.1.1
        issuerRef:
          name: my-rootca-issuer
          kind: Issuer
      " | kubectl apply -f -
      

      Note

      The Certificate usage of Cert-manager Documentation (https://cert-manager.io/docs/usage/certificate/) states that one should “Take care when setting the renewBefore field to be very close to the duration as this can lead to a renewal loop, where the Certificate is always in the renewal period.”

      In the light of the statement above, you must not set renewBefore to a value very close to the “duration” value, such as a renewBefore of 29 days and a duration of 30 days. Instead, you could set values such as renewBefore=15 days and duration=30 days to avoid renewal loops.

   2. Create the PEM files for Server certificate and key.

      $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
      $ kubectl get secret my-server-certificate -o yaml | egrep "^  tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
      

   3. Combine the server certificate and key into a single file.

      $ cat my-server-cert.pem my-server-key.pem > my-server.pem