# Setting up a Certificate Authority and Creating TLS Certificates In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates to secure the following Kubernetes components: * etcd * kube-apiserver * kubelet * kube-proxy After completing this lab you should have the following TLS keys and certificates: ``` admin.pem admin-key.pem ca-key.pem ca.pem kubernetes-key.pem kubernetes.pem kube-proxy.pem kube-proxy-key.pem ``` ## Install CFSSL This lab requires the `cfssl` and `cfssljson` binaries. Download them from the [cfssl repository](https://pkg.cfssl.org). ### OS X ``` wget https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 && \ chmod +x cfssl_darwin-amd64 && \ sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl ``` ``` wget https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64 && \ chmod +x cfssljson_darwin-amd64 && \ sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson ``` ### Linux ``` wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 && \ chmod +x cfssl_linux-amd64 && \ sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl ``` ``` wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 && \ chmod +x cfssljson_linux-amd64 && \ sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson ``` ## Set up a Certificate Authority Create a CA configuration file: ``` cat > ca-config.json < ca-csr.json < admin-csr.json < kube-proxy-csr.json < kubernetes-csr.json <