diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 6bbb495..6bf2175 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -54,7 +54,7 @@ openssl genrsa -out admin.key 2048 openssl req -new -key admin.key -subj "/CN=admin/O=system:masters" -out admin.csr # Sign certificate for admin user using CA servers private key -openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt +openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 1000 ``` Note that the admin user is part of the **system:masters** group. This is how we are able to perform any administrative operations on Kubernetes cluster using kubectl utility. @@ -80,7 +80,7 @@ Generate the `kube-controller-manager` client certificate and private key: ``` openssl genrsa -out kube-controller-manager.key 2048 openssl req -new -key kube-controller-manager.key -subj "/CN=system:kube-controller-manager" -out kube-controller-manager.csr -openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-controller-manager.crt +openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-controller-manager.crt -days 1000 ``` Results: @@ -99,7 +99,7 @@ Generate the `kube-proxy` client certificate and private key: ``` openssl genrsa -out kube-proxy.key 2048 openssl req -new -key kube-proxy.key -subj "/CN=system:kube-proxy" -out kube-proxy.csr -openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-proxy.crt +openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-proxy.crt -days 1000 ``` Results: @@ -118,7 +118,7 @@ Generate the `kube-scheduler` client certificate and private key: ``` openssl genrsa -out kube-scheduler.key 2048 openssl req -new -key kube-scheduler.key -subj "/CN=system:kube-scheduler" -out kube-scheduler.csr -openssl x509 -req -in kube-scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-scheduler.crt +openssl x509 -req -in kube-scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-scheduler.crt -days 1000 ``` Results: @@ -162,7 +162,7 @@ Generates certs for kube-apiserver ``` openssl genrsa -out kube-apiserver.key 2048 openssl req -new -key kube-apiserver.key -subj "/CN=kube-apiserver" -out kube-apiserver.csr -config openssl.cnf -openssl x509 -req -in kube-apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-apiserver.crt -extensions v3_req -extfile openssl.cnf +openssl x509 -req -in kube-apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-apiserver.crt -extensions v3_req -extfile openssl.cnf -days 1000 ``` Results: @@ -200,14 +200,14 @@ Generates certs for ETCD ``` openssl genrsa -out etcd-server.key 2048 openssl req -new -key etcd-server.key -subj "/CN=etcd-server" -out etcd-server.csr -config openssl-etcd.cnf -openssl x509 -req -in etcd-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd-server.crt -extensions v3_req -extfile openssl-etcd.cnf +openssl x509 -req -in etcd-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd-server.crt -extensions v3_req -extfile openssl-etcd.cnf -days 1000 ``` Results: ``` -kube-apiserver.crt -kube-apiserver.key +etcd-server.key +etcd-server.crt ``` ## The Service Account Key Pair @@ -219,7 +219,7 @@ Generate the `service-account` certificate and private key: ``` openssl genrsa -out service-account.key 2048 openssl req -new -key service-account.key -subj "/CN=service-accounts" -out service-account.csr -openssl x509 -req -in service-account.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out service-account.crt +openssl x509 -req -in service-account.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out service-account.crt -days 1000 ``` Results: