Help Center/ Cloud Container Engine/ FAQs/ Networking/ Security Hardening/ How Do I Obtain a TLS Key Certificate?
Updated on 2024-07-04 GMT+08:00

How Do I Obtain a TLS Key Certificate?

Scenario

If your ingress needs to use HTTPS, you must configure a secret of the IngressTLS or kubernetes.io/tls type when creating an ingress.

Create an IngressTLS key certificate, as shown in Figure 1.

Figure 1 Creating a secret

The certificate file to be uploaded must match the private key file. Otherwise, the certificate file becomes invalid.

Solution

Generally, you need to obtain a valid certificate from the certificate provider. If you want to use it in the test environment, you can create a certificate and private key by the performing the following steps.

Self-created certificates apply only to test scenarios. Such certificates are invalid and will affect browser access. Manually upload a valid one to ensure secure connections.

  1. Generate a tls.key.
    openssl genrsa -out tls.key 2048

    The command will generate a private tls.key in the directory where the command is executed.

  2. Generate a certificate using the private tls.key.
    openssl req -new -x509 -key tls.key -out tls.crt -subj /C=CN/ST=Beijing/O=Devops/CN=example.com -days 3650

    The generated key must be in the following format:

    ----BEGIN RSA PRIVATE KEY-----
    ...........................................................
    -----END RSA PRIVATE KEY-----

    The generated certificate must be in the following format:

    -----BEGIN CERTIFICATE-----
    ................................................................
    -----END CERTIFICATE-----
  3. Import the certificate.

    When creating a TLS secret, import the certificate and private key file to the corresponding location.

Verification

Using a browser to access the ingress is successful. However, the certificate and secret are not issued by CA and the address bar shows the connection to nginx is not secure.

Figure 2 Verification result