wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
Set execute permissions on cfssl
chmod +x cfssl_linux-amd64
Move the cfssl binary to /opt/bin
sudo mv cfssl_linux-amd64 /usr/bin/cfssl
Download cfssljson binary
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
Set execute permissions on cfssljson
chmod +x cfssljson_linux-amd64
Move the cfssl binary to /opt/bin
sudo mv cfssljson_linux-amd64 /opt/bin/cfssljson
Create the CA public certificate and private key to be used to sign certificates for various Kubernetes components
Create the CA configuration file
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"identity-server": {
"expiry": "43800h",
"usages": [
"server auth"
]
},
"identity-client": {
"expiry": "43800h",
"usages": [
"client auth"
]
},
"etcd-server": {
"expiry": "43800h",
"usages": [
"key encipherment",
"server auth"
]
},
"etcd-client": {
"expiry": "43800h",
"usages": [
"key encipherment",
"client auth"
]
},
"etcd-peer": {
"expiry": "43800h",
"usages": [
"key encipherment",
"server auth",
"client auth"
]
},
"apiserver": {
"expiry": "43800h",
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
]
},
"apiserver-proxy": {
"expiry": "43800h",
"usages": [
"digital signature",
"key encipherment",
"client auth"
]
},
"kubelet": {
"expiry": "43800h",
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
]
},
"ingress": {
"expiry": "43800h",
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
Create the CA csr config file
cat > ca-csr.json <<EOF
{
"CN": "kube-ca",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "bootkube",
"OU": "",
"ST": ""
}
]
}
EOF
Generate a signed CA public certificate and private key
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Verify the CA cert can sign other certificates.
openssl x509 -noout -text -in /path/to/ca.pem
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
Verify the signed CA public certificate key matches the public portion of the original private key
openssl rsa -noout -modulus -in ca-key.pem
openssl x509 -noout -modulus -in ca.pem
Create a directory for certs
mkdir -p /path/to/
Move the CA cert and key into the cert directory
mv ca.pem /path/to/ca.pem
mv ca-key.pem /path/to/ca.key
Create the Kubernetes server csr config file
cat > identity-server.json <<EOF
{
"CN": "tectonic-identity-api.tectonic-system.svc.cluster.local",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
Generate the Tectonic Identity server public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=identity-server identity-server.json | cfssljson -bare identity-server
Delete the Tectonic Identity server config and csr
rm -rf identity-server.json identity-server.csr
Move the Tectonic Identity server certs and keys to the directory
mv identity-server.pem /path/to/identity-server.pem
mv identity-server-key.pem /path/to/identity-server.key
Verify the signed identity server certificate has the following Key Usage associations:
openssl x509 -noout -text -in /path/to/identity-server.pem
Certificate:
...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Create the identity client csr config
cat > identity-client.json <<EOF
{
"CN": "tectonic-identity-api.tectonic-system.svc.cluster.local",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
Generate the Tectonic Identity client public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=identity-client identity-client.json | cfssljson -bare identity-client
Delete the Tectonic Identity client config and csr
rm -rf identity-client.json identity-client.csr
Move the Tectonic Identity client certs and keys into the cert directory
mv identity-client.pem /path/to/identity-client.pem
mv identity-client-key.pem /path/to/identity-client.key
Verify the signed identity client certificate has the following Key Usage associations:
openssl x509 -noout -text -in /path/to/identity-client.pem
Certificate:
...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Create the etcd-server csr config
cat > etcd-server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"<tectonic_cluster_name>-etcd-0.<tectonic_base_domain>",
"localhost",
"*.kube-etcd.kube-system.svc.cluster.local",
"kube-etcd-client.kube-system.svc.cluster.local",
"127.0.0.1",
"10.3.0.15",
"10.3.0.20"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "etcd",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
etcd-server public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=etcd-server etcd-server-csr.json | cfssljson -bare etcd-server
Remove the etcd-server config and csr
rm -rf etcd-server-csr.json etcd-server.csr
Move the certificates to the cert directory
mv etcd-server.pem /path/to/etcd-server.pem
mv etcd-server-key.pem /path/to/etcd-server.key
Verify the etcd-server certificate looks similar to below
openssl x509 -noout -text -in /path/to/etcd-server.pem
X509v3 extensions:
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:17:C3:55:E8:E1:C2:D2:F0:AA:2E:FB:30:3D:E6:DA:C6:A1:2E:71:67
X509v3 Subject Alternative Name:
DNS:<tectonic_cluster_name>-etcd-0.<tectonic_base_domain>, DNS:localhost, DNS:*.kube-etcd.kube-system.svc.cluster.local, DNS:kube-etcd-client.kube-system.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.3.0.15, IP Address:10.3.0.20
Create the etcd-client csr config
cat > etcd-client-csr.json <<EOF
{
"CN": "etcd",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "etcd",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
etcd-client public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=etcd-client etcd-client-csr.json | cfssljson -bare etcd-client
Remove the etcd-client config and csr
rm -rf etcd-client-csr.json etcd-client.csr
Move the certificates to the cert directory
mv etcd-client.pem /path/to/etcd-client.pem
mv etcd-client-key.pem /path/to/etcd-client.key
Verify the etcd-client certificate looks similar to below
openssl x509 -noout -text -in /path/to/etcd-client.pem
X509v3 extensions:
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Create the etcd-peer csr config
cat > etcd-peer-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"<tectonic_cluster_name>-etcd-0.<tectonic_base_domain>",
"*.kube-etcd.kube-system.svc.cluster.local",
"kube-etcd-client.kube-system.svc.cluster.local",
"10.3.0.15",
"10.3.0.20"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "etcd",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
etcd peer public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=etcd-peer etcd-peer-csr.json | cfssljson -bare etcd-peer
Remove the etcd-peer config and csr
rm -rf etcd-peer-csr.json etcd-peer.csr
Move the certificates to directory
mv etcd-peer.pem /path/to/etcd-peer.pem
mv etcd-peer-key.pem /path/to/etcd-peer.key
Verify the etcd-peer certificate looks similar to below
openssl x509 -noout -text -in /path/to/etcd-peer.pem
X509v3 extensions:
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:17:C3:55:E8:E1:C2:D2:F0:AA:2E:FB:30:3D:E6:DA:C6:A1:2E:71:67
X509v3 Subject Alternative Name:
DNS:<tectonic_cluster_name>-etcd-0.<tectonic_base_domain>, DNS:*.kube-etcd.kube-system.svc.cluster.local, DNS:kube-etcd-client.kube-system.svc.cluster.local, IP Address:10.3.0.15, IP Address:10.3.0.20
Create the apiserver csr config
cat > apiserver-csr.json <<EOF
{
"CN": "kube-apiserver",
"hosts": [
"<tectonic_cluster_name>-api.<tectonic_base_domain>",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local",
"10.3.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "kube-master",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
kube-apiserver public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=apiserver apiserver-csr.json | cfssljson -bare apiserver
Remove the apiserver config and csr
rm -rf apiserver-csr.json apiserver.csr
Move the certificates to directory
mv apiserver.pem /path/to/apiserver.pem
mv apiserver-key.pem /path/to/apiserver.key
Verify the apiserver certificate looks similar to below
openssl x509 -noout -text -in /path/to/apiserver.pem
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:A1:55:68:06:88:F7:74:C8:2E:06:84:D9:18:27:F6:34:A8:6E:52:17
X509v3 Subject Alternative Name:
DNS:<tectonic_cluster_name>-api.<tectonic_base_domain>, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.3.0.1
Create the apiserver-proxy csr config
cat > apiserver-proxy-csr.json <<EOF
{
"CN": "kube-apiserver-proxy",
"hosts": [
"<tectonic_cluster_name>-api.<tectonic_base_domain>",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local",
"10.3.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "kube-master",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
kube-apiserver-proxy public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=apiserver-proxy apiserver-proxy-csr.json | cfssljson -bare apiserver-proxy
Remove the apiserver-proxy config and csr
rm -rf apiserver-proxy-csr.json apiserver-proxy.csr
Move the certificates to directory
mv apiserver-proxy.pem /path/to/apiserver-proxy.pem
mv apiserver-proxy-key.pem /path/to/apiserver-proxy.key
Verify the apiserver-proxy certificate looks similar to below
openssl x509 -noout -text -in /path/to/apiserver-proxy.pem
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:A1:55:68:06:88:F7:74:C8:2E:06:84:D9:18:27:F6:34:A8:6E:52:17
X509v3 Subject Alternative Name:
DNS:<tectonic_cluster_name>-api.<tectonic_base_domain>, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.3.0.1
Create the kubelet csr config
cat > kubelet-csr.json <<EOF
{
"CN": "kubelet",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "system:masters",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
kubelet public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=kubelet kubelet-csr.json | cfssljson -bare kubelet
Remove the kubelet config and csr
rm -rf kubelet-csr.json kubelet.csr
Move the certificates to directory
mv kubelet.pem /path/to/kubelet.pem
mv kubelet-key.pem /path/to/kubelet.key
Verify the kubelet certificate looks similar to below
openssl x509 -noout -text -in /path/to/kubelet.pem
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
Create the ingress csr config
cat > ingress.json <<EOF
{
"CN": "<tectonic_cluster_name>.<tectonic_base_domain>",
"hosts": [
"<tectonic_cluster_name>.<tectonic_base_domain>"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "",
"L": "",
"O": "",
"OU": "",
"ST": ""
}
]
}
EOF
Use the CA certificate, CA private key, and CA config file to generate the
ingress public certificate and private key
cfssl gencert -ca=/path/to/ca.pem -ca-key=/path/to/ca.key -config=ca-config.json \
-profile=ingress ingress.json | cfssljson -bare ingress
Remove the ingress config and csr
rm -rf ingress-csr.json ingress.csr
Move the certificates to directory
mv ingress.pem /path/to/ingress.pem
mv ingress-key.pem /path/to/ingress.key
Verify the ingress certificate looks similar to below
openssl x509 -noout -text -in /path/to/ingress.pem
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:A1:55:68:06:88:F7:74:C8:2E:06:84:D9:18:27:F6:34:A8:6E:52:17
X509v3 Subject Alternative Name:
DNS:<tectonic_cluster_name>.<tectonic_base_domain>