-
Notifications
You must be signed in to change notification settings - Fork 0
self signed cert
Cesar Celis Hernandez edited this page Apr 11, 2023
·
9 revisions
- Create the private key
openssl genrsa -out private.key 2048
- Create the
cert.cnf
file:
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
O = "system:nodes"
C = US
CN = "system:node:testing.minio-testing.svc"
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = testing
DNS.2 = testing.minio-testing.svc
DNS.3 = testing.minio-testing.svc.cluster.local
DNS.4 = minio-testing-service.minio-testing.svc
- Create the
testing.csr
file:
openssl req -new -config cert.cnf -key private.key -out testing.csr
- Encode the
testing.csr
:
cat testing.csr | base64 --wrap=0
- Create the CSR with above output:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: testing-csr
spec:
groups:
- system:serviceaccounts
- system:serviceaccounts:minio-testing
- system:authenticated
- system:nodes
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJREx6Q0NBaGNDQVFBd1ZERVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekV1TUN3R0ExVUVBd3dsYzNsemRHVnRPbTV2WkdVNmRHVnpkR2x1Wnk1dGFXNXBieTEwWlhOMGFXNW5Mbk4yCll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtBa24xOEdldGFKSVB2RTVzNzkKRDduT2ZyUFJHT01ScFhZK09hK3JkR2ZkWjY3OE95czQ2QS9TV1VKQTl6VnNXWndIVWdYVVBaTnJwN1ZFWDNCWgp0TXlLZHRnUllCTEd4VGpTNWRFQWRpcFE5Q3ArNDlZTXNGWWR2Q0R3ZzRVZXluajdSQW5OMVhvM1g1ejdqRngxCjUycnAxaStKL2RlblNaUU9HckNTbDJqTTF3ZW9IdmgrNW04U1VUUnlJQWVRY0VzNzNLRkNaNi9KYk5oaGEvbzEKOVRTRTAxSkdZVjc3bjBKeU5PUUxMZnVYem5aRlE3R28wZlVQMWcwT0hoeXphbUw4VXpaSnhJcVBvSXJLekhBLwplZE1JV2hwWmM4azBuQ1Vub05DbHhtL3ZXUU5kUWE0T2h4YWFQZ1crNFdURkFjbGo1c0ZGQXFHeUdOZEZoTWhPCm1oOENBd0VBQWFDQmxUQ0JrZ1lKS29aSWh2Y05BUWtPTVlHRU1JR0JNSDhHQTFVZEVRUjRNSGFDQjNSbGMzUnAKYm1lQ0dYUmxjM1JwYm1jdWJXbHVhVzh0ZEdWemRHbHVaeTV6ZG1PQ0ozUmxjM1JwYm1jdWJXbHVhVzh0ZEdWegpkR2x1Wnk1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJbmJXbHVhVzh0ZEdWemRHbHVaeTF6WlhKMmFXTmxMbTFwCmJtbHZMWFJsYzNScGJtY3VjM1pqTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBSlduYXZKdkpNYWN3RndDdmUKMUtta2FHYVNLbzNqZE9saFovME5QYnVDbmhUMHkvRnZUV0hUcGRMbi9mTGtkTlNUYkdIQkVMd0ttUTdXYVR3Rgo0RE5YNnMxZVdTY3BSNFEvaHBwaEQ0UWZjblowT1RoQk1oY2tnN1FlaHR0T3cxR3pjR2JQWktDL05tekllQW5SCm9DZCtzSkZiUU1PMEFUanFMcENFcUF5ZTlDQ003eExld2dSWlZudnVMaStDU29YUm9NVE9HVUo1Q2grR001K2QKNGdVWWV2NEdsM2JjUXI3UjBneDhMN29Ncm8ySFNObDB0QzFvVGk5ejcwL3R3MjN2M0hxY1IwUGo1Y09VQkU3ZgpBRnlkSk9EL20zN0w2eXVERnd3QmVZYlZqenp3OVdjZXNyZXlLVHJEK0hNUVBndWpCL0NSL2F3S2lXWTRyRTQzCmY0U1UKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
signerName: kubernetes.io/kubelet-serving
usages:
- digital signature
- key encipherment
- server auth
username: system:serviceaccount:minio-testing:minio-testing
- Apply the CSR:
oc apply -f testing-csr.yaml
- Approve the CSR:
oc adm certificate approve testing-csr
- Get the certificate:
oc get csr testing-csr -o jsonpath='{.status.certificate}'| base64 -d
- Decode the certificate and look at the
Expires
field: