Tutorial: Generate and deploy a self-signed certificate

In this tutorial, we will outline the process to generate and deploy a self-signed certificate using CFSSL. You also include links to external tutorials for OpenSSL.

1. OpenSSL tutorials

Direct guide: Digital Ocean OpenSSL Essentials

Detailed guide: Jamie Linux OpenSSL Certificate Authority

2. CFSSL tutorial

This tutorial will help you create a Saagie-compatible CloudFlare self-signed certificate. Refer to CloudFlare’s github for more information.

2.1. Download and install CFSSL

If you use Linux or Windows, download CFSSL from GitHub and install it.
If you are using macOS, you can either download from the link above or install using Homebrew:
```
brew install cfssl
```

2.2. Generate Certificate Authority (CA)

Retrieve the default configuration.

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

Add SANs and Kubernetes profiles to ca-config.json, as needed.

{
    "signing": {
        "default": {
            "expiry": "17520h"
        },
        "profiles": {
            "www": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "kubernetes": {
                "expiry": "17520h",
                "name_whitelist": ".*",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

Adjust ca-csr.json, as needed.

{
    "CN": "Saagie Demo CA",
    "key": {
        "algo": "rsa",
        "size": 4096
    },
    "names": [
        {
            "C": "FR",
            "O": "Saagie",
            "L": "Rouen"
        }
    ]
}

Generate your Certificate Authority.

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

2.3. Create your server certificates

Create your server certificate request file, csr.json, with the following content.

{
    "CN": "<prefix>-<suffix>.<domain>", (1)
    "hosts": [
        "<prefix>-<suffix>.<domain>" (1)
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    }
}

1	Replace `<prefix>`, `<suffix>`, and `<domain>` with the same values you used for your DNS zone.

Generate your certificates.

cfssl gencert -config ca-config.json -ca ca.pem -ca-key ca-key.pem -profile www csr.json |cfssljson -bare server

The process generated these files: server.csr, server.pem, and server-key.pem.

2.4. Deploy certificate on your Kubernetes cluster

Generate an encoded version of your certificate files:

Generate base 64 encoded version of the certificate:
```
cat server.pem |base64 -w 0
```
Generate base64 encoded version of the key
```
cat server-key.pem |base64 -w 0
```

Or, if using OSX, you can generate both simultaneously:

cat server.pem | base64 | tr -d '\n'
cat server-key.pem | base64 | tr -d '\n'

Create a certificate.yml file with the following content.

apiVersion: v1
kind: Secret
metadata:
  name: <certificate-name> (1)
  namespace: saagie-common
type: kubernetes.io/tls
data:
  ca.crt: ""
  tls.crt: <encoded certificate> (2)
  tls.key: <encoded key> (3)

1	Replace `<certificate-name>`,
2	`<encoded certificate>`, and
3	`<encoded key>`.

Deploy your certificate.

kubectl apply -f certificate.yml

Verify your certificate.

kubectl get secrets/<certificate-name> (1)
kubectl describe secrets/<certificate-name> (1)

1	Replace `<certificate-name>`.