Web Application in Kubernetes that users access over the internet
“Let’s assume you have received a PFX file and password from the certs management team.”
User Accesses Application:
- A user visits
https://yourapp.example.com. - The user’s browser initiates a secure connection to your application’s Ingress controller.
Ingress controller
- An Ingress controller is a specialized load balancer for Kubernetes, responsible for managing and routing external traffic to services within a Kubernetes cluster based on rules defined in Ingress resources.
- It acts as a bridge between the external world and your Kubernetes cluster, enabling you to expose HTTP and HTTPS routes from outside the cluster to services inside the cluster.
- Commonly used Ingress controllers include NGINX, HAProxy, Traefik, Istio.
TLS Termination at Ingress:
- The Ingress controller uses the TLS certificate (tls.crt) to prove its identity to the user’s browser.
- The browser and the Ingress controller establish an encrypted connection using the private key (tls.key) and public key from the certificate.
- The Ingress controller decrypts incoming HTTPS requests and forwards them as HTTP requests to the appropriate service within the cluster.
Secure Communication Between Services:
- If your application has multiple microservices, they can communicate securely using mutual TLS (mTLS), where both parties authenticate each other using their respective certificates and private keys.
1. Extract the certificate and keys from a .pfx file
What is PKCS#12 file
Extract the private key
Decrypt the private key
Extract the certificate
What is PKCS#12 file
A PKCS#12 file, also known as a PFX (Personal Information Exchange) file.
These objects typically include:
- Private Keys: The private key is a critical component of public key infrastructure (PKI), used for decrypting data and creating digital signatures.
- Public Certificates: These certificates contain the public key and the identity of the key owner, and are used to authenticate the identity of entities.
- Intermediate and Root Certificates: These are certificates that help form a chain of trust from the entity’s certificate back to a trusted root certificate.
The .pfx file contains the SSL certificate (public keys) and the corresponding private keys.
Sometimes, you might have to import the certificate and private keys separately in an unencrypted plain text format to use it on another system.
Typical Extensions
- .p12: A common extension for PKCS#12 files.
- .pfx: Another common extension, often used interchangeably with .p12.
Extract the private key
Suppose you have a PKCS#12 file named mycert.pfx, and you want to extract the private key to a file named private.key.
openssl pkcs12 -in mycert.pfx -nocerts -out private.keyPassword Prompts
You will be prompted to type the import password. Type the password that you used to protect your keypair when you created the .pfx file. You will be prompted again to provide a new password to protect the .key file that you are creating.
Step-by-Step Explanation
Invoke OpenSSL and specify the pkcs12 command:
openssl pkcs12
Specify the input file:
-in mycert.pfx
Exclude certificates from the output:
-nocerts
Specify the output file for the private key:
-out private.key
Decrypt the private key
Suppose you have an encrypted RSA private key file named encrypted.key(private.key), and you want to decrypt it and save the result to decrypted.key
openssl rsa -in encrypted.key -out decrypted.keyStep-by-Step Explanation
Invoke OpenSSL and specify the rsa command:
openssl rsa
Specify the input encrypted private key file:
-in encrypted.key
Specify the output file for the decrypted private key:
-out decrypted.key
Password Prompts
When you run this command, you will be prompted to enter the password for the encrypted private key file. This is necessary to decrypt the key.
Extract the certificate
Suppose you have a PKCS#12 file named mycert.pfx, and you want to extract only the client certificate to a file named clientcert.crt.
openssl pkcs12 -in mycert.pfx -clcerts -nokeys -out clientcert.crtPassword Prompts
When you run this command, you will be prompted to enter the import password for the PKCS#12 file (if it is password-protected). This is necessary to decrypt the file and extract the required certificate.
Step-by-Step Explanation
Invoke OpenSSL and specify the pkcs12 command:
openssl pkcs12
Specify the input PKCS#12 file:
-in mycert.pfx
Include only client certificates (exclude CA certificates):
-clcerts
Exclude private keys from the output:
-nokeys
Specify the output file for the extracted certificate:
-out clientcert.crt
2. Base64 Encode the Private Key and Certificate
Kubernetes secrets require the content to be base64 encoded.
Encode the private key:
base64 -w 0 private.key > tls.key.base64Encode the certificate:
base64 -w 0 cert.crt > tls.crt.base643. Implement in Kubernetes:
Create a Secret:
- Store your TLS certificate and private key in a Kubernetes Secret.
- tls.crt.base64 is BASE64_ENCODED_CERTIFICATE
- tls.key.base64 is BASE64_ENCODED_PRIVATE_KEY
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
namespace: your-namespace
type: kubernetes.io/tls
data:
tls.crt: BASE64_ENCODED_CERTIFICATE
tls.key: BASE64_ENCODED_PRIVATE_KEYConfigure Ingress Resource:
- Configure an Ingress resource to use the secret for TLS termination.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: your-namespace
spec:
tls:
- hosts:
- yourapp.example.com
secretName: tls-secret
rules:
- host: yourapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service
port:
number: 80TLS certificates and private keys are essential for securing communication:
- Ingress Traffic: Securely connect users to your applications using HTTPS.
- Service-to-Service Communication: Securely transfer data between services within the cluster.
By using TLS, you ensure that data is encrypted and protected from unauthorized access, maintaining the privacy and integrity of the communication in your Kubernetes environment.
Refer: https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
