В TLS используются два типа ключей - public и private.
private ключ всегда остается у владельца и не разглашается.
Generate a private key:
$ openssl genrsa -out my-bank.key 2048
Generate a public key (lock):
$ openssl rsa -in my-bank.key -pubout > mybank.pem
Request CSR (CSR is like a certificate but without a signature):
$ openssl req -new -key my-bank.key \ -out my-bank.csr -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com"
CA
$ openssl genrsa -out ca.key 2048 # Generate private key for CA $ openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr # Generate CSR $ openssl x509 -req -in ca.csr -signkey ca.key -days 365 -out ca.crt # Self sign using priv key
Admin user
$ openssl genrsa -out admin.key 2048 # Private key for Admin user $ openssl req -new -key admin.key -subj "/CN=kube-admin" -out admin.csr # Generate CSR $ openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key \ -set_serial 1000 -out admin.crt # Sign using CA
$ openssl x509 -noout -subject -in ca.crt # Check CN in certificate $ openssl req -text -noout -verify -in ca.csr # Check CSR details $ openssl x509 -text -noout -in ca.crt # Check certificate details