How Do I Obtain an Ingress TLS Certificate?
Scenario
An ingress TLS certificate is required if there are inbound HTTPS requests to a Service that is externally reachable through an ingress.
Create an ingress TLS certificate, as shown in Figure 2.
The certificate file to be uploaded must match the private key file. Otherwise, the certificate file becomes invalid.
Solution
To create a certificate and a private key, perform the following steps:
Self-created certificates are applicable only to test scenarios. Such certificates are invalid and will affect browser access. Please manually upload a valid one to ensure secure connections. For details about how to purchase a valid certificate, see Purchasing a Certificate.
- Generate a tls.key.
openssl genrsa -out tls.key 2048
The command will generate a private tls.key in the directory where the command is executed.
- Generate a certificate using the private tls.key.
openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=Devops/CN=example.com -days 3650
The generated key must be in the following format:
----BEGIN RSA PRIVATE KEY----- ........................................................... -----END RSA PRIVATE KEY-----
The generated certificate must be in the following format:
-----BEGIN CERTIFICATE----- ................................................................ -----END CERTIFICATE-----
- Import the certificate.
Select the ingress TLS certificate from the Key Certificate drop-down list on the Create Ingress page to import the certificate.
Verification
External access to the service is successful. However, the certificate and key are not issued by CA and the address bar shows the connection to nginx is not secure.
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.