Updated on 2025-02-28 GMT+08:00

How Do I Obtain a TLS Key Certificate?

Scenario

If your ingress needs to use HTTPS, you must configure a secret of the IngressTLS or kubernetes.io/tls type when creating an ingress.

The certificate file uploaded in the secret data must match the private key file. Otherwise, the certificate file becomes invalid.

Solution

Generally, you need to obtain a valid certificate from the certificate provider. If you want to use it in the test environment, you can create a certificate and private key by the performing the following steps.

Self-created certificates apply only to test scenarios. Such certificates are invalid and will affect browser access. Manually upload a valid one to ensure secure connections.

  1. Generate a tls.key.
    openssl genrsa -out tls.key 2048

    The command will generate a private tls.key in the directory where the command is executed.

  2. Generate a certificate using the private tls.key.
    openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=******/O=Devops/CN=example.com -days 3650

    The generated key must be in the following format:

    ----BEGIN RSA PRIVATE KEY-----
    ...........................................................
    -----END RSA PRIVATE KEY-----

    The generated certificate must be in the following format:

    -----BEGIN CERTIFICATE-----
    ................................................................
    -----END CERTIFICATE-----
  3. Import the certificate.

    When creating a TLS secret, import the certificate and private key file to the corresponding location.

Verification

The ingress address can be accessed through a browser. However, the certificate and secret are not issued by the CA, so the CA does not recognize them and shows a message saying they are insecure.