The first files that we need to generate are the files for our certificate authority, which will be signing the rest of our component’s certificates.
We will be storing all of our certificates under the ~/certs/ directory, but first we need to create the directory. Let's set this up using the following command:
johndoe@management-vm$ mkdir ~/certs
Now that we have the directory, let's start by using the following command to generate the CA configuration file, which will have information such as the expiration date of the certificates issued by our CA and what the CA is going to be used for:
johndoe@management-vm$ cd ~/certs
johndoe@management-vm$ cat << EOF > ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
EOF
With our CA config, we can now start issuing certificate signing requests.
The first CSR that we are going to generate is the one for our CA. Let's set this up using the following command:
johndoe@management-vm$ cat << EOF > ca-csr.json
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "New York",
"O": "Kubernetes",
"OU": "CA",
"ST": "NY"
}
]
}
EOF
Now that we have both our JSON files, we can actually use cffsl and generate our certificates using the following command:
johndoe@management-vm$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
As shown in the following command, three files will be generated, ca.csr, ca.pem, and ca-key.pem. The first one, ca.csr, is the certificate signing request. The other two are our public certificate and the private key respectively:
johndoe@management-vm$ ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
This will be the case for any certificates that we generate from here on in.