The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

3.6.3 Setting up Private CA Certificates

You can use the script to generate the certificates. Run the script on the operator node and enter the options required for your environment.

The --cert-dir option sets the location where the certificates are to be saved.

The --nodes option must be set to the name of the Kubernetes service, as shown:

--nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local

Use the --one-cert option to save the certificates for the two service names to a single file.

cd /etc/olcne
sudo ./ \
--cert-dir /etc/olcne/configs/certificates/restrict_external_ip/production/ \
--cert-request-organization-unit "My Company Unit" \
--cert-request-organization "My Company" \
--cert-request-locality "My Town" \
--cert-request-state "My State" \
--cert-request-country US \
--cert-request-common-name \
--nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local \

You can use the same CA certificate and private key you used to generate the Kubernetes node certificates by using the --byo-ca-cert and --byo-ca-key options. For example, add the following lines to the command:

--byo-ca-cert /path/configs/certificates/production/ca.cert \
--byo-ca-key /path/configs/certificates/production/ca.key

Make sure the permissions of the output directory where the certificates are located can be read by the user on the operator node that you intend to use use to run the olcnectl commands to install Kubernetes. In this example the opc user is to be used on the operator node, so ownership of the directory is set to the opc user:

sudo chown -R opc:opc /etc/olcne/configs/certificates/restrict_external_ip/