I used the below command to generate a key locally.
openssl genrsa -out testsvc.testns.ing.lb.xyz.io.key.pem 2048
And the used the below command to generate the CSR(certificate signing request).
openssl req -new -sha256 -key testsvc.testns.ing.lb.xyz.io.key.pem -subj "/CN=testsvc.testns.ing.lb.xyz.io"
I generated the certificate chain file using the above CSR file and finally got the below file.
testsvc.testns.ing.lb.xyz.io.chain.pem
I am trying to use them for ingress tls and below is the command for ingress tls.
kubectl create secret tls custom-tls-cert --key /path/to/tls.key --cert /path/to/tls.crt
Not sure, How can i use the chain.pem file and key.pem file with the above command. Tried generating crt from the chain.pem and getting error on kubectl create secret.
"error: failed to load key pair tls: failed to find any PEM data in certificate input"
I would like to create the below secret.
apiVersion: v1
data:
tls.crt: base64 encoded cert
tls.key: base64 encoded key
kind: Secret
metadata:
name: testsecret
namespace: default
type: Opaque
Not sure how to generate .crt and .key file with the chain.pem file.
Thanks
First, let's clarify what the key, CSR, and certificate are.
key
- locally generated secret file shown/sent to noone (key.pem)csr
- file (request.pem) generated by key.pem, need to be sent to CA (certificate authority). (You can have your own CA, but usually, it is managed by someone else).cert
- file (cert.pem) created by CA based on request.pem and its own CA private key
Now you can use these two files - key.pem
and cert.pem
- to create a secure connection between your service and a client.
I suppose you have only created a key and a request. So, you need to go one step further and get a certificate from CA.
For testing purpose, you can create a new key and a self-signed certificate with one command:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj "/C=US/ST=Florida/L=Miami/O=SomeCompany/OU=ITdepartment/CN=www.mydomain.com"
(adjust subject to your needs)
There are different types of keys and certificates, and it's easy to find the way to convert one format into another.
Using certificate and key in PEM format when creating a Secret should work fine.
Just insert the key and the certificate into that command as follows:
kubectl create secret tls testsecret --key key.pem --cert cert.pem
This command creates a Secret object and encodes key.pem
and cert.pem
content with base64.
You can check the content of the created object with the commands:
kubectl get secret testsecret -o yaml
echo "tls.crt: content" | base64 --decode
for example:
echo "LS0t...tLS0tLQo=" | base64 --decode
Read more about using and generating certificates here:
https://www.sslshopper.com/article-most-common-openssl-commands.html
How to create a self-signed certificate with openssl?
https://docs.bitnami.com/kubernetes/how-to/secure-kubernetes-services-with-ingress-tls-letsencrypt/