Creating and using Self-Signed and Private Certificate Authorities
Self signed certificates and private Certificate Authorities (CAs) are essential for enabling TLS and SSL encryption and establishing mutual trust between services.
Before you begin
key.pem) and a certificate (cert.pem) for your domain
using
OpenSSL.DOMAIN=<Your_External_IP_Address>.nip.io
openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 365 \
-subj "/CN=$DOMAIN" \
-addext "subjectAltName = DNS:${DOMAIN},DNS:*.${DOMAIN}" \
-addext "certificatePolicies = 1.2.3.4"Procedure
-
To use a self signed certificate:
- Create a TLS
secret:
kubectl create secret generic my-tls-secret \ --from-file=tls.crt=./cert.pem \ --from-file=tls.key=./key.pem \ --from-file=ca.crt=./cert.pem \ --namespace devopsplan - Set a TLS secret name in
Helm:
--set global.certSecretName=my-tls-secret
- Create a TLS
secret:
-
To use a Private Certificate Authority (CA) bundle:
- Create a private CA bundle
secret:
kubectl create secret generic my-internal-ca-bundle \ --from-file=ca.crt=./cert.pem \ --namespace devopsplan - Set the private CA secret name in
Helm:
--set global.privateCaBundleSecretName=my-internal-ca-bundle
- Create a private CA bundle
secret: