Kubernetes Secret Creation - Private Keys and Certificates for IngressGateway
In this section, you will learn to create a secret to store private keys and certificates for IngressGateway.
Note:
It is a user or operator discretion to create the private keys and certificates for IngressGateway and it is not in the scope of UDR. This section shares only samples to create them.- Generate RSA private key by executing the following
command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"
- Convert the private key to .pem format by executing the
following command:
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"
- Generate certificate using the private key by executing the
following command:
openssl req -new -key rsa_private_key -out apigatewayrsa.csr -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"
Note:
You can use ssl.conf to configure default entries along with storage area network (SAN) details for your certificate.A sample ssl.conf file is given below:
ssl.conf #ssl.conf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Karnataka localityName = Locality Name (eg, city) localityName_default = Bangalore organizationName = Organization Name (eg, company) organizationName_default = Oracle commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 127.0.0.1 DNS.1 = localhost
- Create a root Certificate Authority (CA) by executing the
following set of commands:
openssl req -new -keyout cakey.pem -out careq.pem -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca -passin pass:"keystorepasswd" echo 1234 > serial.txt
- Sign the server certificate with root CA private key by
executing the following command:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in apigatewayrsa.csr -out apigatewayrsa.cer -days 365 -extfile ssl.conf -extensions req_ext -passin pass:"keystorepasswd"
- Generate ECDSA private key by executing the following set of
commands:
openssl ecparam -genkey -name prime256v1 -noout -out ecdsa_private_key.pem
openssl pkcs8 -topk8 -in ecdsa_private_key.pem -inform pem -out ecdsa_private_key_pkcs8.pem -outform pem -nocrypt
- Generate certificate using the private key by executing the
following set of commands:
openssl req -new -key ecdsa_private_key_pkcs8.pem -x509 -nodes -days 365 -out ecdsa_certificate.crt -config ssl.conf
openssl req -new -key ecdsa_private_key_pkcs8.pem -out apigatewayecdsa.csr -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"
- Sign the server certificate with root CA private key by
executing the following command:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in apigatewayecdsa.csr -out apigatewayecdsa.cer -days 365 -extfile ssl.conf -extensions req_ext -passin pass:"keystorepasswd"
- Create a key.txt file by entering any
password.
Example: echo "keystorepasswd" > key.txt
- Create a trust.txt file by entering any
password.
Example: echo "truststorepasswd" > trust.txt
- Create a Secret by executing the following set of
commands:
kubectl create ns NameSpace
kubectl create secret generic ocudr-gateway-secret --from-file=apigatewayrsa.cer --from-file=caroot.cer --from-file=apigatewayecdsa.cer --from-file=rsa_private_key_pkcs1.pem --from-file=ecdsa_private_key_pkcs8.pem --from-file=key.txt --from-file=trust.txt -n <Namespace>