K
Q

Generate single certificate for multiple Kubernetes nodes

12/12/2019

Here lies the issue: I have a Kubernetes cluster with multiple nodes and I want to mount a single secret containing the key, crt, keystore data for all my nodes.

My process for generating them for a single node is as follows:

  1. Generate keystore bound to dns=hostname and ip=host_ip
  2. Extract csr
  3. Submit csr to my internal CA and downloading the p7b certificate chain
  4. Import back the certificate chain into keystore
  5. Export keystore into PKCS12 format
  6. Extract crt
  7. Extract key

Let's assume I have completed these steps for all my nodes. What can I do to bundle all these into a single set of keys and keystore file ? Can i just concat all my certificate requests obtained at step 2 into a single csr and download the p7b for that and just follow through ?

-- D.Razvan
keystore
kubernetes
ssl
ssl-certificate

Similar Questions

Kubernetes Service LoadBalancer "EXTERNAL-IP" remains "<none>" instead of taking worker nodes public IP addresses
Cannot execute k8s module
How to access etcd cluster endpoints from kubernetes master
Can't assign a deployment creation role to serviceAccount in Kubernetes

1 Answer

12/12/2019

For anyone looking for a solution as well, I managed to generate a single certificate for all hostnames by generating the keystore with multiple dns/ip entries.

Example:

keytool -genkey -keyalg RSA -alias <your_alias> -keystore <your_keystore_name>.jks -storetype JKS -keysize 2048 -validity 365 -ext SAN=dns:<hostname1>,ip:<ip1>,dns:<hostname2>,ip:<ip2>

You can also use KeyStore Explorer to generate the same (through a GUI) and it also supports wildcards such as *.domain.com

-- D.Razvan
Source: StackOverflow