Create SSL certificates for TLS/SSL using Cert-manager

A self-signed SSL certificate is used for dynamic test environments or when using an external load balancer that terminates SSL traffic.

начало внимание

A self-signed SSL certificate does not provide robust data protection against malicious actors. It is recommended to use commercial SSL certificates from trusted certificate authorities such as Comodo, Symantec, Thawte, etc.

конец внимание

To create a certificate with the SAN attribute, follow these steps:

1. Install Cert-manager add-on component;
2. Create yaml-file selfsigned-cluster-issuer.yaml:

nano selfsigned-cluster-issuer.yaml

To initiate the certificate issuance procedure in a Kubernetes cluster, certification authority (CA) resources must be declared. These resources are used to sign Certificate Signing Requests (CSRs) for issuing certificates. Depending on the required scope, you can declare the following resources:

• Issuer can be used in one namespace;
• ClusterIssuer is the cluster's global object.

3. In the selfsigned-cluster-issuer.yaml file, insert the following values:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: elma365-selfsigned-certificate
spec:
  selfSigned: {}

4. Apply the selfsigned-cluster-issuer.yaml file to the cluster:

kubectl apply -f selfsigned-cluster-issuer.yaml

5. Create a yaml-file for the certificate create-selfsigned-elma365-certificate.yaml:

nano create-selfsigned-elma365-certificate.yaml

6. Modify the file create-selfsigned-elma365-certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: elma365-selfsigned-tls-certificate
  namespace: [namespace]
spec:
  secretName: elma365-onpremise-tls
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "kube-system"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kube-system"
  duration: 8760h
  renewBefore: 720h
  isCA: false
  subject:
    organizations:
    - "YOUR_NAME_ORGANIZATIONS"
  privateKey:
    algorithm: ECDSA
    size: 384
    encoding: PKCS8
    rotationPolicy: Always
  issuerRef:
    kind: ClusterIssuer
    name: elma365-selfsigned-certificate
  commonName: "elma365_server.your_domain"
  dnsNames:
  - "elma365_server.your_domain"

where:

• metadata.namespace is the name of the target namespace where the certificate should be placed;

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the ELMA365 application, the standard namespace is elma365.

For embedded databases the standard namespace is elma365-dbs.

конец внимание

• spec.duration is the validity period of the certificate in hours;
• spec.subject.organizations is the name of your company (replace "YOUR_NAME_ORGANIZATIONS");
• spec.commonName and dnsNames is the fully qualified domain name (FQDN) for which the certificate should be issued (replace "elma365_server.your_domain").

7. Apply the create-selfsigned-elma365-certificate.yaml file to the cluster:

kubectl apply -f create-selfsigned-elma365-certificate.yaml

8. To install and update ELMA365 or the embedded databases use the secret elma365-onpremise-tls (the name specified in the parameter spec.secretName).

Was this helpful?

Thanks for your feedback!

Please specify why:

Recommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

How we can improve it?

YesNo

Please specify whyRecommendations did not help meArticle is hard to understandDidn`t answer my questionContent does not match the topicOther

Found a typo? Highlight the text, press ctrl + enter and notify us