====== TLS ======
==== ВВЕДЕНИЕ ====
В TLS используются два типа ключей - ''public'' и ''private''.
''private'' ключ всегда остается у владельца и не разглашается.
==== KEYS ====
* Certificate (Public Key): *.crt, *.pem
* Private Key: *.key, *-key.pem
==== OPENSSL ====
Generate a private key:
$ openssl genrsa -out my-bank.key 2048
Generate a public key (lock):
$ openssl rsa -in my-bank.key -pubout > mybank.pem
Request CSR (CSR is like a certificate but without a signature):
$ openssl req -new -key my-bank.key \
-out my-bank.csr -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com"
==== GENERATING CERTIFICATES FOR K8S ====
''CA''
$ openssl genrsa -out ca.key 2048 # Generate private key for CA
$ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr # Generate CSR
$ openssl x509 -req -in ca.csr -signkey ca.key -days 365 -out ca.crt # Self sign using priv key
''Admin user''
$ openssl genrsa -out admin.key 2048 # Private key for Admin user
$ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr # Generate CSR
$ openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key \
-set_serial 1000 -out admin.crt # Sign using CA
==== CHECKING CERTIFICATES ====
$ openssl x509 -noout -subject -in ca.crt # Check CN in certificate
$ openssl req -text -noout -verify -in ca.csr # Check CSR details
$ openssl x509 -text -noout -in ca.crt # Check certificate details