creating users /certificates for users
Henning Sprang
Nathan Taylor
openssl x509 -in <certificate to check> -purpose -noout -text
Nathan
Henning Sprang
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
So, when I compare this to the certificate that my minicube installation uses, the SSL Client part is missing and should be set to yes probably.
I cannot compare it to the certificate automatically added to my kubectl config file when creating the cluster because I have no idea how to make a valid certificate ascii file from the stuff in the kubectl config.
So the question was, how can I create a certificate / certificate request / key?
It turned out to be
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: $CERTIFICATE_NAME
spec:
groups:
- system:authenticated
request: $(cat $CSR_FILE | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- client auth
EOF
Where the last line "client auth" used to be "server auth" before.
With client auth it works now! Thanks for the hint.
Henning
Nathan Taylor
--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/-J0OHXORqeQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.