Web Application in Kubernetes that users access over the internet

varunkumar inbaraj
4 min readMay 26, 2024

“Let’s assume you have received a PFX file and password from the certs management team.”

User Accesses Application:

Ingress controller

  • An Ingress controller is a specialized load balancer for Kubernetes, responsible for managing and routing external traffic to services within a Kubernetes cluster based on rules defined in Ingress resources.
  • It acts as a bridge between the external world and your Kubernetes cluster, enabling you to expose HTTP and HTTPS routes from outside the cluster to services inside the cluster.
  • Commonly used Ingress controllers include NGINX, HAProxy, Traefik, Istio.

TLS Termination at Ingress:

  • The Ingress controller uses the TLS certificate (tls.crt) to prove its identity to the user’s browser.
  • The browser and the Ingress controller establish an encrypted connection using the private key (tls.key) and public key from the certificate.
  • The Ingress controller decrypts incoming HTTPS requests and forwards them as HTTP requests to the appropriate service within the cluster.

Secure Communication Between Services:

  • If your application has multiple microservices, they can communicate securely using mutual TLS (mTLS), where both parties authenticate each other using their respective certificates and private keys.

1. Extract the certificate and keys from a .pfx file

Photo by Tierra Mallorca on Unsplash

What is PKCS#12 file

Extract the private key

Decrypt the private key

Extract the certificate

What is PKCS#12 file

A PKCS#12 file, also known as a PFX (Personal Information Exchange) file.

These objects typically include:

  1. Private Keys: The private key is a critical component of public key infrastructure (PKI), used for decrypting data and creating digital signatures.
  2. Public Certificates: These certificates contain the public key and the identity of the key owner, and are used to authenticate the identity of entities.
  3. Intermediate and Root Certificates: These are certificates that help form a chain of trust from the entity’s certificate back to a trusted root certificate.

The .pfx file contains the SSL certificate (public keys) and the corresponding private keys.

Sometimes, you might have to import the certificate and private keys separately in an unencrypted plain text format to use it on another system.

Typical Extensions

  • .p12: A common extension for PKCS#12 files.
  • .pfx: Another common extension, often used interchangeably with .p12.

Extract the private key

Suppose you have a PKCS#12 file named mycert.pfx, and you want to extract the private key to a file named private.key.

openssl pkcs12 -in mycert.pfx -nocerts -out private.key

Password Prompts

You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating.

Step-by-Step Explanation

Invoke OpenSSL and specify the pkcs12 command:

  • openssl pkcs12

Specify the input file:

  • -in mycert.pfx

Exclude certificates from the output:

  • -nocerts

Specify the output file for the private key:

  • -out private.key

Decrypt the private key

Suppose you have an encrypted RSA private key file named encrypted.key(private.key), and you want to decrypt it and save the result to decrypted.key

openssl rsa -in encrypted.key -out decrypted.key

Step-by-Step Explanation

Invoke OpenSSL and specify the rsa command:

  • openssl rsa

Specify the input encrypted private key file:

  • -in encrypted.key

Specify the output file for the decrypted private key:

  • -out decrypted.key

Password Prompts

When you run this command, you will be prompted to enter the password for the encrypted private key file. This is necessary to decrypt the key.

Extract the certificate

Suppose you have a PKCS#12 file named mycert.pfx, and you want to extract only the client certificate to a file named clientcert.crt.

openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out clientcert.crt

Password Prompts

When you run this command, you will be prompted to enter the import password for the PKCS#12 file (if it is password-protected). This is necessary to decrypt the file and extract the required certificate.

Step-by-Step Explanation

Invoke OpenSSL and specify the pkcs12 command:

  • openssl pkcs12

Specify the input PKCS#12 file:

  • -in mycert.pfx

Include only client certificates (exclude CA certificates):

  • -clcerts

Exclude private keys from the output:

  • -nokeys

Specify the output file for the extracted certificate:

  • -out clientcert.crt

2. Base64 Encode the Private Key and Certificate

Kubernetes secrets require the content to be base64 encoded.

Encode the private key:

base64 -w 0 private.key > tls.key.base64

Encode the certificate:

base64 -w 0 cert.crt > tls.crt.base64

3. Implement in Kubernetes:

Create a Secret:

  • Store your TLS certificate and private key in a Kubernetes Secret.
  • tls.crt.base64 is BASE64_ENCODED_CERTIFICATE
  • tls.key.base64 is BASE64_ENCODED_PRIVATE_KEY
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
namespace: your-namespace
type: kubernetes.io/tls
data:
tls.crt: BASE64_ENCODED_CERTIFICATE
tls.key: BASE64_ENCODED_PRIVATE_KEY

Configure Ingress Resource:

  • Configure an Ingress resource to use the secret for TLS termination.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: your-namespace
spec:
tls:
- hosts:
- yourapp.example.com
secretName: tls-secret
rules:
- host: yourapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service
port:
number: 80

TLS certificates and private keys are essential for securing communication:

  • Ingress Traffic: Securely connect users to your applications using HTTPS.
  • Service-to-Service Communication: Securely transfer data between services within the cluster.

By using TLS, you ensure that data is encrypted and protected from unauthorized access, maintaining the privacy and integrity of the communication in your Kubernetes environment.

Refer: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file

--

--