Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "what is the Kubernetes certificate issuance process". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "what is the Kubernetes certificate issuance process" can help you solve the problem.

For website applications, webmasters need to apply for certificates from authoritative certificate issuers (CA), which usually costs a certain amount of money, and there are also non-profit certificate issuers, such as "Let's Encrypt", which can issue certificates for users free of charge. But for applications such as Kubernetes, it is usually deployed within the enterprise, and its management components do not need to be exposed to the public network, so there is no need to apply for certificates from external certificate issuers, and system administrators can issue certificates for internal use.

In this section, we use a simple example to introduce how to use openssl to issue certificates, focusing on the process of issuing certificates. The specific certificate configuration also needs to be filled in by the administrator according to the actual situation.

Take kube-apiserver as an example, its startup parameters need to be configured with a certificate in three places:

-- client-ca-file=/yourdirectory/ca.crt--tls-cert-file=/yourdirectory/server.crt--tls-private-key-file=/yourdirectory/server.key

Ca.crt is the certificate of CA. Usually, all components of Kubernetes are configured with the same CA certificate, and server.crt is the certificate of kube-apiserver. It will be sent to the client when establishing a connection with the client and verified by the client. Server.key is the private key of kube-apiserver. It will not be sent to the client, but will only be used to decrypt the data sent by the client.

For ease of understanding, let's assume that two administrators are involved in the certificate issuance process, one CA administrator is responsible for managing CA credentials and providing services for others to issue certificates, and one administrator is responsible for requesting certificates for kube-apiserver.

Generate CA credential

The CA certificate includes a private key and certificate. The private key is kept by the CA institution and will not be made public, while the certificate is public. You need to create a private key for the CA institution before generating the certificate.

Generate CA private key

A private key can be generated using the openssl genrsa command:

# openssl genrsa-out ca.key 2048Generating RSA private key 2048 bit long modulus....+++..+++e is 65537 (0x10001)

The generated private key is stored in the ca.key file, which can be viewed using the cat command:

# lsca.key# cat ca.key-BEGIN RSA PRIVATE KEY-MIIEog...// omits some content-END RSA PRIVATE KEY- generates CA certificate

Then use the openssl req command to generate a certificate:

# openssl req-x509-new-nodes-key ca.key-subj "/ CN=ca"-days 10000-out ca.crt

The generated certificate exists in the ca.crt file and can be viewed using the openssl x509 command:

# openssl x509-in ca.crt-text-nooutCertificate: Data: Version: 3 (0x2).

At this point, the CA administrator has a private key and certificate and is ready to issue a certificate for kube-apiserver.

Generate kube-apiserver credential

To apply for a certificate, the kube-apiserver administrator needs to prepare a certificate issuance request (application). To do this, the kube-apiserver administrator needs to generate a private key for kube-apiserver.

Generate kube-apiserver private key

Generating a private key for kube-apiserver is exactly the same as the previous method of generating a private key for CA, which can also be done using openssl genrsa:

# openssl genrsa-out server.key 2048

The generated private key is stored in server.key.

Generate a kube-apiserver certificate request

Then the kube-apiserver administrator needs to use the private key of kube-apiserver to generate a certificate issuance request before it can be submitted to the CA administrator for signing.

Use the openssl req-new command to create a certificate request file:

# openssl req-new-key server.key-out server.csr

To create a certificate request file, you need to provide the private key, then enter the relevant information according to the command line prompt, and the resulting request file is stored in the server.csr file.

Generate kube-apiserver certificate

After the kube-apiserver administrator has created the certificate request file, he can issue the certificate to the CA administrator. The CA administrator needs to use the private key and certificate of CA when signing:

# openssl x509-req-in server.csr-CA ca.crt-CAkey ca.key-CAcreateserial-out server.crt-days 10000 Signature ok

In this way, the issued certificate is saved in the server.crt file.

Certificate file suffix

With regard to certificates and private key files, conventional file name suffixes are often used.

* .key: often represents a private key file

* .crt: an abbreviation for certificate, which often represents a certificate file

In addition, the * .csr file is a certificate signature request file, an acronym for "Certificate Signing Request", which contains information about the public key and the owner of the public key, which is used to apply for a signature from the CA authority.

This is the end of the content about "what is the process of issuing Kubernetes certificates". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.