How do I add an intermediate SSL certificate to Kubernetes ingress TLS configuration?

21
votes

The documentation does not specify how to add an intermediate SSL certificate: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

I suppose the next step would be to read the Kubernetes source code.

4
kubernetes
May be useful github.com/kubernetes/kubernetes/issues/24669Chris Stryczynski

4 Answers

12
votes

It has to be appended to the certificate value. Just like nginx.

11
votes

If you add multiple certificates in tls.cert key in Kubernetes TLS Ingress Configuration. Please do this like this

-----BEGIN CERTIFICATE-----
<put your certificate value in a single line >
-----END CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
<put your certificate value in a single line>
-----END INTERMEDIATE CERTIFICATE-----

Otherwise, you'll get an error in ssl cert chain validation.

Always put main certificate first.

7
votes

Use this command to create a cert

kubectl create secret generic tlscert_with_ca --from-file=tls.crt=your_cert.crt --from-file=tls.key=your_key.key --from-file=ca.crt=your_ca.crt

BTW, your_ca.crt could be a intermediate cert as well

It works to me, the cert in nginx-inginx-controller should like this

-----BEGIN CERTIFICATE-----
your_cert
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
your_key
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
your_intermediate
-----END CERTIFICATE-----

Reference official doc

1
votes

The intermediary SSL cert (ca.intermediate.crt) is included as a second cert in the k8s tls.crt field.

tls.crt includes three files separated by \n: server.crt, ca.intermediate.crt and ca.crt.

Here is an Ansible task that sets-up the a cert:

- hosts: localhost
  connection: local
  vars:
     wildcard_foo_com_ssl_tls_crt:
       - "{{ lookup('file', './ssl_certs/star_foo_com/server.crt') }}"
       - "{{ lookup('file', './ssl_certs/star_foo_com/ca.intermediate.crt') }}"
       - "{{ lookup('file', './ssl_certs/star_foo_com/ca.crt') }}"
     wildcard_foo_com_ssl_tls_key: "{{ lookup('file', './ssl_certs/star_foo_com/server.key') }}"

  - name: Set up foo.com Certs
    k8s:
      state: present
      definition:
        apiVersion: v1
        kind: Secret
        metadata:
          name: name-com-wildcard-foo-com
          namespace: prod
        type: kubernetes.io/tls
        data:
          tls.crt: "{{ wildcard_foo_com_ssl_tls_crt | join('\n') | b64encode }}"
          tls.key: "{{ wildcard_foo_com_ssl_tls_key | b64encode }}"
          # ca.crt: this key seems to be ignored