Skip to content

6.05 TLS Certificate Creation (Manual Setup - Hardway)

1️⃣ Overview

Kubernetes uses mutual TLS (mTLS) between:

  • API Server
  • ETCD
  • Kubelet
  • Scheduler
  • Controller Manager
  • Kube Proxy
  • Admin users

To secure communication, we generate:

Type Purpose
CA Certificate Signs all certificates
Client Certificates Authenticate components
Server Certificates Secure HTTPS endpoints

2️⃣ Step 1: Create the Certificate Authority (CA)

Generate CA Private Key

openssl genrsa -out ca.key 2048

Generate CA CSR (Certificate Signing Request)

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Self-Sign CA Certificate

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Danger

ca.key is the most sensitive file in your cluster.
If compromised, the entire cluster trust is broken.

3️⃣ Step 2: Generate Client Certificates

Admin User

openssl genrsa -out admin.key 2048

openssl req -new -key admin.key -subj "/CN=kube-admin/OU=system:masters" -out admin.csr

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt

Note

system:masters grants admin privileges via RBAC.

System Components

Use CN format:

CN=system:<component-name>

Example:

-subj "/CN=system:kube-scheduler"

Generate similarly for:

  • scheduler
  • controller-manager
  • kube-proxy

4️⃣ Step 3: Generate ETCD Server Certificate

openssl genrsa -out etcd-server.key 2048

openssl req -new -key etcd-server.key -subj "/CN=etcd-server" -out etcd-server.csr

openssl x509 -req -in etcd-server.csr -CA ca.crt -CAkey ca.key -out etcd-server.crt

5️⃣ Step 4: Generate kube-apiserver Certificate (With SAN=Subject Alternative Name)

Create openssl.cnf:

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = <API_SERVER_IP>

Generate key:

openssl genrsa -out apiserver.key 2048

Generate CSR:

openssl req -new -key apiserver.key -subj "/CN=kube-apiserver" -out apiserver.csr -config openssl.cnf

Sign certificate:

openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -extensions v3_req -extfile openssl.cnf

Warning

Missing SAN entries will cause TLS validation failures.

6️⃣ Step 5: Generate Kubelet Certificates (Per Node)

Node format:

CN=system:node:<node-name>
OU=system:nodes

Example:

-subj "/CN=system:node:node01/OU=system:nodes"

Each node must have its own certificate and key.

7️⃣ Production Best Practices

βœ… DO

Success

  • Protect ca.key with permissions 600
  • Use separate CA for ETCD
  • Automate certificate rotation
  • Use 2048-bit+ RSA or ECDSA
  • Rotate certificates before expiry
  • Backup CA securely offline

❌ DON'T

Danger

  • Do NOT expose CA private key
  • Do NOT commit keys to Git
  • Do NOT reuse admin cert for automation
  • Do NOT skip SAN configuration
  • Do NOT use expired certificates

🎯 Summary

  • Generate CA first
  • Generate client certificates
  • Generate server certificates
  • Configure SAN correctly
  • Protect private keys strictly
  • Automate renewal in production

Quote

Certificate management is the backbone of Kubernetes security.