Create Certificates

title: “Create Certificates”
date: 2019-07-30T14:47:45
slug: create-certificates

Create CA Key

openssl genrsa -out ca.key 2048

Create CA CSR

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Create CA Certificate

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Create Admin Key

openssl genrsa -out admin.key 2048

Create Admin CSR (CN Will be the User Name, OU Will be the System Group)

openssl req -new -key admin.key -subj \
"/CN=kube-admin/OU=system:masters" -out admin.csr

Create the Certificate

openssl x509 -req -in admin.csr –CA ca.crt -CAkey ca.key -out admin.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out admin.crt

Test the Admin Certificate:

curl https://kube-apiserver:6443/api/v1/pods \
--key admin.key --cert admin.crt --cacert ca.crt

Create Scheduler Key

openssl genrsa -out scheduler.key 2048

Create Scheduler CSR

openssl req -new -key scheduler.key -subj \
"/CN=system:kube-scheduler" -out scheduler.csr

Create the Certificate

openssl x509 -req -in scheduler.csr –CA ca.crt -CAkey ca.key -out scheduler.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out scheduler.crt

Create API Server Key

openssl genrsa -out apiserver.key 2048

Create openssl.cnf

[ req ]
default\_bits = 2048
prompt = no
default\_md = sha256
req\_extensions = req\_ext
distinguished\_name = dn

[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER\_IP>

[ req\_ext ]
subjectAltName = @alt\_names

[ alt\_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 172.17.0.87

[ v3\_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt\_names

Create API Server csr

openssl req -new -key apiserver.key -subj \
"/CN=kube-apiserver" -out apiserver.csr -config openssl.cnf

Create Apiserver Certificate

openssl x509 -req -in apiserver.csr \
-CA ca.crt -CAkey ca.key -out apiserver.crt

Or if you get the error unable to load number from ca.srl

openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out apiserver.crt
Print Friendly, PDF & Email