We will now generate the root key and certificate and set up an intermediate certificate authority and validate its duration:
- Create a root certificate:
$ kubectl -n step exec -t step-0 -- step certificate create --profile root-ca "My Root CA" root-ca.crt root-ca.key --no-password --insecure --force
Your certificate has been saved in root-ca.crt.
Your private key has been saved in root-ca.key.
Note that, for simplicity, we are not providing a password to encrypt the key. In real life, you should use a password or let step generate one for you. Protecting the private key is very important for root and intermediate certificates.
- Then, create an intermediate CA:
$ kubectl -n step exec -t step-0 -- step certificate create identity.linkerd.cluster.local identity.crt identity.key --profile intermediate-ca --ca ./root-ca.crt --ca-key ./root-ca.key --no-password --insecure --force
Your certificate has been saved in identity.crt.
Your private key has been saved in identity.key.
- Check the expiry date of the intermediate certificate:
$ kubectl -n step exec -t step-0 -- step certificate inspect identity.crt --short
X.509v3 Intermediate CA Certificate (ECDSA P-256) [Serial: 7456...1790]
Subject: identity.linkerd.cluster.local
Issuer: My Root CA
Valid from: 2019-08-11T14:27:14Z
to: 2029-08-08T14:27:14Z
Notice that the preceding certificate is valid for 10 years, which is the default. It can cost a lot of money to get an intermediate certificate from a trusted CA, and generally, CA issues a leaf X.509 certificate, which has a much shorter life span.
- Copy certificates from the pod as we did not use a persistent volume while creating the step helm chart:
$ kubectl -n step cp step-0:root-ca.crt /tmp/root-ca.crt
$ kubectl -n step cp step-0:identity.crt /tmp/identity.crt
$ kubectl -n step cp step-0:identity.key /tmp/identity.key
The preceding method using smallstep for creating certificates is simple and easy. However, we can obtain trusted certificates from commercial providers as well.