sigs.k8s.io/cluster-api@v1.7.1/docs/book/src/tasks/certs/using-custom-certificates.md (about) 1 ## Using Custom Certificates 2 3 Cluster API expects certificates and keys used for bootstrapping to follow the below convention. CABPK generates new certificates using this convention if they do not already exist. 4 5 Each certificate must be stored in a single secret named one of: 6 7 | Name | Type | Example | 8 | ---------------------- | -------- | ------------------------------------------------------------ | 9 | *[cluster name]***-ca** | CA | openssl req -x509 -subj "/CN=Kubernetes API" -new -newkey rsa:2048 -nodes -keyout tls.key -sha256 -days 3650 -out tls.crt | 10 | *[cluster name]***-etcd** | CA | openssl req -x509 -subj "/CN=ETCD CA" -new -newkey rsa:2048 -nodes -keyout tls.key -sha256 -days 3650 -out tls.crt | 11 | *[cluster name]***-proxy** | CA | openssl req -x509 -subj "/CN=Front-End Proxy" -new -newkey rsa:2048 -nodes -keyout tls.key -sha256 -days 3650 -out tls.crt | 12 | *[cluster name]***-sa** | Key Pair | openssl genrsa -out tls.key 2048 && openssl rsa -in tls.key -pubout -out tls.crt | 13 14 The certificates *must* also be labeled with the key-value pair `cluster.x-k8s.io/cluster-name=[cluster name]` (where `[cluster name]` is the name of the cluster it should be used with). 15 16 <aside class="note warning"> 17 18 <h1>CA Key Age</h1> 19 20 Note that rotating CA certificates is non-trivial and it is recommended to create a long-lived CA or use a long-lived root/offline CA with a short lived intermediary CA 21 22 </aside> 23 24 **Example** 25 ```yaml 26 apiVersion: v1 27 kind: Secret 28 metadata: 29 name: cluster1-ca 30 labels: 31 cluster.x-k8s.io/cluster-name: cluster1 32 type: kubernetes.io/tls 33 data: 34 tls.crt: <base 64 encoded PEM> 35 tls.key: <base 64 encoded PEM> 36 ```