self signed cert - cniackz/public GitHub Wiki

  1. Create the private key
openssl genrsa -out private.key 2048
  1. Create the cert.cnf file:
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
O = "system:nodes"
C = US
CN  = "system:node:testing.minio-testing.svc"

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = testing
DNS.2 = testing.minio-testing.svc
DNS.3 = testing.minio-testing.svc.cluster.local
DNS.4 = minio-testing-service.minio-testing.svc
  1. Create the testing.csr file:
openssl req -new -config cert.cnf -key private.key -out testing.csr
  1. Encode the testing.csr:
cat testing.csr | base64 --wrap=0
  1. Create the CSR with above output:
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: testing-csr 
spec:
  groups:
  - system:serviceaccounts
  - system:serviceaccounts:minio-testing
  - system:authenticated
  - system:nodes
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJREx6Q0NBaGNDQVFBd1ZERVZNQk1HQTFVRUNnd01jM2x6ZEdWdE9tNXZaR1Z6TVFzd0NRWURWUVFHRXdKVgpVekV1TUN3R0ExVUVBd3dsYzNsemRHVnRPbTV2WkdVNmRHVnpkR2x1Wnk1dGFXNXBieTEwWlhOMGFXNW5Mbk4yCll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtBa24xOEdldGFKSVB2RTVzNzkKRDduT2ZyUFJHT01ScFhZK09hK3JkR2ZkWjY3OE95czQ2QS9TV1VKQTl6VnNXWndIVWdYVVBaTnJwN1ZFWDNCWgp0TXlLZHRnUllCTEd4VGpTNWRFQWRpcFE5Q3ArNDlZTXNGWWR2Q0R3ZzRVZXluajdSQW5OMVhvM1g1ejdqRngxCjUycnAxaStKL2RlblNaUU9HckNTbDJqTTF3ZW9IdmgrNW04U1VUUnlJQWVRY0VzNzNLRkNaNi9KYk5oaGEvbzEKOVRTRTAxSkdZVjc3bjBKeU5PUUxMZnVYem5aRlE3R28wZlVQMWcwT0hoeXphbUw4VXpaSnhJcVBvSXJLekhBLwplZE1JV2hwWmM4azBuQ1Vub05DbHhtL3ZXUU5kUWE0T2h4YWFQZ1crNFdURkFjbGo1c0ZGQXFHeUdOZEZoTWhPCm1oOENBd0VBQWFDQmxUQ0JrZ1lKS29aSWh2Y05BUWtPTVlHRU1JR0JNSDhHQTFVZEVRUjRNSGFDQjNSbGMzUnAKYm1lQ0dYUmxjM1JwYm1jdWJXbHVhVzh0ZEdWemRHbHVaeTV6ZG1PQ0ozUmxjM1JwYm1jdWJXbHVhVzh0ZEdWegpkR2x1Wnk1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJbmJXbHVhVzh0ZEdWemRHbHVaeTF6WlhKMmFXTmxMbTFwCmJtbHZMWFJsYzNScGJtY3VjM1pqTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBSlduYXZKdkpNYWN3RndDdmUKMUtta2FHYVNLbzNqZE9saFovME5QYnVDbmhUMHkvRnZUV0hUcGRMbi9mTGtkTlNUYkdIQkVMd0ttUTdXYVR3Rgo0RE5YNnMxZVdTY3BSNFEvaHBwaEQ0UWZjblowT1RoQk1oY2tnN1FlaHR0T3cxR3pjR2JQWktDL05tekllQW5SCm9DZCtzSkZiUU1PMEFUanFMcENFcUF5ZTlDQ003eExld2dSWlZudnVMaStDU29YUm9NVE9HVUo1Q2grR001K2QKNGdVWWV2NEdsM2JjUXI3UjBneDhMN29Ncm8ySFNObDB0QzFvVGk5ejcwL3R3MjN2M0hxY1IwUGo1Y09VQkU3ZgpBRnlkSk9EL20zN0w2eXVERnd3QmVZYlZqenp3OVdjZXNyZXlLVHJEK0hNUVBndWpCL0NSL2F3S2lXWTRyRTQzCmY0U1UKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
  username: system:serviceaccount:minio-testing:minio-testing

  1. Apply the CSR:
oc apply -f testing-csr.yaml
  1. Approve the CSR:
oc adm certificate approve testing-csr
  1. Get the certificate:
oc get csr testing-csr -o jsonpath='{.status.certificate}'| base64 -d
  1. Decode the certificate and look at the Expires field: