====== TLS ====== ==== ВВЕДЕНИЕ ==== В TLS используются два типа ключей - ''public'' и ''private''. ''private'' ключ всегда остается у владельца и не разглашается. ==== KEYS ==== * Certificate (Public Key): *.crt, *.pem * Private Key: *.key, *-key.pem ==== OPENSSL ==== Generate a private key: $ openssl genrsa -out my-bank.key 2048 Generate a public key (lock): $ openssl rsa -in my-bank.key -pubout > mybank.pem Request CSR (CSR is like a certificate but without a signature): $ openssl req -new -key my-bank.key \ -out my-bank.csr -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com" ==== GENERATING CERTIFICATES FOR K8S ==== ''CA'' $ openssl genrsa -out ca.key 2048 # Generate private key for CA $ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr # Generate CSR $ openssl x509 -req -in ca.csr -signkey ca.key -days 365 -out ca.crt # Self sign using priv key ''Admin user'' $ openssl genrsa -out admin.key 2048 # Private key for Admin user $ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr # Generate CSR $ openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key \ -set_serial 1000 -out admin.crt # Sign using CA ==== CHECKING CERTIFICATES ==== $ openssl x509 -noout -subject -in ca.crt # Check CN in certificate $ openssl req -text -noout -verify -in ca.csr # Check CSR details $ openssl x509 -text -noout -in ca.crt # Check certificate details