Versions Compared

Old Version 5

changes.mady.by.user Wei Siong Siow

Saved on

compared with

New Version 6

changes.mady.by.user Wei Siong Siow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

kubectl get clusterissuers example-issuer -o yaml

Excerpt
nametls-cert-manager-part-2

Insert excerpt
General Usage Engine Private Edition Preparations (4.3)
General Usage Engine Private Edition Preparations (4.3)
nametls-cert-manager-part-common
nopaneltrue

Please note that the ClusterIssuer mentioned above is only recommended for testing purposes and not for production. In the coming section, we will create a ClusterIssuer of ACME type, which is generally used in production environment.

Info

If your use case is intended for a production or production-like environment, please skip the self-signed ClusterIssuer creation below.

Regardless of the chosen issuer specification, to create the issuer, simply put the specification in a yaml file (here we call it example-issuer.yaml), and then execute a command like this:

Code Block
languagebash
kubectl apply -f example-issuer.yaml

Based on the example above the created ClusterIssuer can be inspected like this:

Code Block
languagebash
Insert excerpt
General Usage Engine Private Edition Preparations (4.3)
General Usage Engine Private Edition Preparations (4.3)
nametls-cert-manager-part-common-2
nopaneltrue

Excerpt
nametls-secret

Secret

If you do not want to automate the certificate provisioning with cert-manager, you can instead manually install a public certificate in a Kubernetes Secret and then refer to that when installing Usage Engine Private Edition.

The Secret must include a keystore file (keystore.jks) in JKS format as well as separate files for key (tls.key) and certificate (tls.crt).

This is an example script that can generate a Secret like that (make sure to set the parameters at the beginning of the script before executing it):

Code Block
languagebash
#!/bin/sh
KEY_PASSWORD=<your chosen key password>
STORE_PASSWORD=<your chosen keystore password>
DNAME=CN=exampledomain.com,O=Example
NAMESPACE=uepe
keytool -genkey -keystore keystore.jks -storepass $STORE_PASSWORD -keypass $KEY_PASSWORD -alias certificate -keyalg RSA -keysize 4096 -dname $DNAME
keytool -importkeystore -srckeystore keystore.jks -srcstorepass $STORE_PASSWORD -srckeypass $KEY_PASSWORD -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias certificate -deststorepass $STORE_PASSWORD -destkeypass $KEY_PASSWORD
openssl pkcs12 -in keystore.p12  -nokeys -out tls.crt -password pass:$KEY_PASSWORD
openssl pkcs12 -in keystore.p12  -nodes -nocerts -out tls.key -password pass:$KEY_PASSWORD
kubectl create secret generic uepe-cert -n $NAMESPACE --from-file=keystore.jks --from-file=tls.key --from-file=tls.crt

Note that this will generate a self-signed certificate, which is not suitable for use in publicly exposed interfaces.

Once the Secret has been generated, its content can be inspected like this:

Code Block
languagebash
kubectl -n uepe get secrets uepe-cert -o yaml

...