Enrolling a Certificate

Enroll enables the DevOps teams / application owners to request a certificate for their application deployed in the desired Kubernetes cluster. The certificate which is enrolled can be deployed directly to the Kubernetes secrets or even the local volumes of the Kubernetes pods (or) containers.

Prerequisites:

To enroll a certificate:

  1. Go to menu > KUBE+ > Cluster Security > Secure Apps .
  2. Click .
  3. On the Enroll Certificate page, enter/select the field information in the General Information section for Cert resource to be created on Kubernetes cluster.
    Table 1. General Information Section - Field and Description Table
    Field Description
    Enroll Cert To Select the endpoint where the cert is to be deployed. The options are:
    • Secret: KUBE+ enrolls certificate and stores signed certificate and key in k8s secret
    • POD : KUBE+ has CSI provider which provisions certificate in the pods local volume
    Format The certificate file format that should be downloaded to the pod. The supported formats include PEM, PFX, P12, and JKS.
    Encoding The encoding type of the file content. Supported types include utf-8, hex, and base64.
    File Name The name of the certificate file to be created in the pod.
    Password If the certificate download is password-protected, provide the password.
    Alias Name The alias name in the keystore for the certificate file format, when it is in JKS format.
    Alias Password The password for the alias.
    Is CA Required Download the trust store for the enrolled certificate. Set to "False" will result in the download only leaf certificates.
    Cluster Select a cluster where the certificate to be deployed from the dropdown list.
    CA Setting Name Select a certificate authority to be used for signing the CSR from dropdown list.
    Certificate Authority The Certificate Authority used for certificate enrollment as configured in the Cluster Policy.
    Certificate Category The type of certificate. The options include 'Client' and 'Server'.
    Certificate Name Enter a Certificate Name for certificate storage within the K8s cluster.
    Namespace The name of the namespace within the Kubernetes cluster where the secret is to be created.
    Secret Name Enter a Secret Name for certificate storage within the K8s cluster.
    Enable Auto Renewal Select a auto renewal option. The options are:

    • False (default) - Certificates will not be automatically renewed prior to their expiration.

    • True - Certificates can be automatically renewed before they expire.
    Renewal Policy If Auto renewal set to “True”, users have the option to renew certificates either by 'Regenerating a new key' or 'Renewing with the existing key'.
    Renew Before ‘X’ days Set the auto-renewal period prior to the certificate's expiration.
    CSR Validity The validity for the CSR in the cluster, if not approved. The default is 24 hours.
    Overwrite valid certificates Replace existing valid certificates with the newly enrolled certificate.
  4. Enter/select field information in the CSR Parameter section.
    Table 2. CSR Parameter Section - Field and Description Table
    Field Description
    CSR Generation Endpoint The default CSR generation endpoint option is K8s Secret. In the scenario where private keys need to be generated in AppViewX, users can choose the CSR endpoint as 'AppViewX'.
    Common Name Enter the common name of the cert.
    Subject Alternative Name Select a Subject Alternative Name from the dropdown list. The options are:

    • DNS - DNS of the cert

    • IP Address - IP Address of the cer
    DNS/IP Address Enter the DNS/IP address of the cert.
    Organization Enter the organization of the cert.
    Organization Unit Enter the organization unit of the cert.
    Locality Enter the locality of the cert.
    Street Enter the street of the cert.
    State Enter the state of the cert.
    Province Enter the province of the cert.
    Country Enter the country of the cert.
    Postal Code Enter the postal code of the cert.
    Email Address Enter the email address of the cert.
  5. Enter/select the field information in the Private Key Parameters section.
    Table 3. Private Key Parameters Section - Field and Description Table
    Field Description
    Key Type Select a key type of the cert from the dropdown list. The options are:

    • RSA

    • EC
    Bit Length Select the bit length from the dropdown list.

    • CSR param bit lengths for RSA are 2048/4096/3072.

    • CSR param bit lengths for EC are 256/384/521.
  6. Click Generate Cert YAML to get the certificate for enrollment in the Certificate YAML field.
    Note:
    • To see the commands in the full screen view, click the .
    • To copy the command, click .
  7. Click Add to add the certificate to the Enroll Certificate inventory list.