Tutorial: Generate and deploy a self-signed certificate

In this tutorial, we will outline the process to generate and deploy a self-signed certificate using CFSSL. You also include links to external tutorials for OpenSSL.

1. OpenSSL tutorials

2. CFSSL tutorial

This tutorial will help you create a Saagie-compatible CloudFlare self-signed certificate. Refer to CloudFlare’s github for more information.

2.1. Download and install CFSSL

  • If you use Linux or Windows, download CFSSL from GitHub and install it.

  • If you are using macOS, you can either download from the link above or install using Homebrew:

    brew install cfssl

2.2. Generate Certificate Authority (CA)

Retrieve the default configuration.

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

Add SANs and Kubernetes profiles to ca-config.json, as needed.

{
    "signing": {
        "default": {
            "expiry": "17520h"
        },
        "profiles": {
            "www": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "kubernetes": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

Adjust ca-csr.json, as needed.

{
    "CN": "Saagie Demo CA",
    "key": {
        "algo": "rsa",
        "size": 4096
    },
    "names": [
        {
            "C": "FR",
            "O": "Saagie",
            "L": "Rouen"
        }
    ]
}

Generate your Certificate Authority.

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

2.3. Create your server certificates

Create your server certificate request file, csr.json, with the following content.

{
    "CN": "<prefix>-<suffix>.<domain>", (1)
    "hosts": [
        "<prefix>-<suffix>.<domain>" (1)
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    }
}
1 Replace <prefix>, <suffix>, and <domain> with the same values you used for your DNS zone.

Generate your certificates.

cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json |cfssljson -bare server

The process generated these files: server.csr, server.pem, and server-key.pem.

2.4. Deploy certificate on your Kubernetes cluster

Generate an encoded version of your certificate files:

  • Generate base 64 encoded version of the certificate:

    cat server.pem |base64 -w 0
  • Generate base64 encoded version of the key

    cat server-key.pem |base64 -w 0
  • Or, if using OSX, you can generate both simultaneously:

    cat server.pem | base64 | tr -d '\n'
    cat server-key.pem | base64 | tr -d '\n'

Create a certificate.yml file with the following content.

apiVersion: v1
kind: Secret
metadata:
  name: <certificate-name> (1)
  namespace: saagie-common
type: kubernetes.io/tls
data:
  ca.crt: ""
  tls.crt: <encoded certificate> (2)
  tls.key: <encoded key> (3)
1 Replace <certificate-name>,
2 <encoded certificate>, and
3 <encoded key>.

Deploy your certificate.

kubectl apply -f certificate.yml

Verify your certificate.

kubectl get secrets/<certificate-name> (1)
kubectl describe secrets/<certificate-name> (1)
1 Replace <certificate-name>.