github.com/cilium/cilium@v1.16.2/Documentation/network/servicemesh/tls-cert.rst (about) 1 Create TLS Certificate and Private Key 2 ====================================== 3 4 .. tabs:: 5 6 .. group-tab:: Self-signed Certificate 7 8 For demonstration purposes we will use a TLS certificate signed by a made-up, 9 `self-signed <https://cert-manager.io/docs/faq/terminology/#what-does-self-signed-mean-is-my-ca-self-signed>`_ 10 certificate authority (CA). One easy way to do this is with `mkcert <https://github.com/FiloSottile/mkcert>`_. 11 We want a certificate that will validate ``bookinfo.cilium.rocks`` and 12 ``hipstershop.cilium.rocks``, as these are the host names used in this example. 13 14 .. code-block:: shell-session 15 16 $ mkcert bookinfo.cilium.rocks hispter.cilium.rocks 17 Note: the local CA is not installed in the system trust store. 18 Run "mkcert -install" for certificates to be trusted automatically ⚠️ 19 20 Created a new certificate valid for the following names 📜 21 - "bookinfo.cilium.rocks" 22 - "hispter.cilium.rocks" 23 24 The certificate is at "./bookinfo.cilium.rocks+1.pem" and the key at "./bookinfo.cilium.rocks+1-key.pem" ✅ 25 26 It will expire on 29 November 2026 🗓 27 28 Create a Kubernetes secret with this demo key and certificate: 29 30 .. code-block:: shell-session 31 32 $ kubectl create secret tls demo-cert --key=bookinfo.cilium.rocks+1-key.pem --cert=bookinfo.cilium.rocks+1.pem 33 34 .. group-tab:: cert-manager 35 36 Let us install cert-manager: 37 38 .. code-block:: shell-session 39 40 $ helm repo add jetstack https://charts.jetstack.io 41 $ helm install cert-manager jetstack/cert-manager --version v1.10.0 \ 42 --namespace cert-manager \ 43 --set installCRDs=true \ 44 --create-namespace \ 45 --set "extraArgs={--feature-gates=ExperimentalGatewayAPISupport=true}" 46 47 Now, create a CA Issuer: 48 49 .. parsed-literal:: 50 51 $ kubectl apply -f \ |SCM_WEB|\/examples/kubernetes/servicemesh/ca-issuer.yaml