LAB13: TLS Implementation

LAB101: TLS Implementation - NGINX


PART 1 β€” Create Your Own CA and TLS Certificates

We’ll generate:

  1. CA private key

  2. CA certificate

  3. Server private key

  4. Server CSR

  5. Server certificate signed by CA (for nginx.example.com)


Step 1 β€” Create CA Private Key

openssl genrsa -out ca.key 4096

Step 2 β€” Create CA Certificate

openssl req -x509 -new -nodes \
  -key ca.key \
  -sha256 -days 3650 \
  -out ca.crt \
  -subj "/C=NP/ST=Bagmati/L=Kathmandu/O=MyCA Ltd/CN=My-Root-CA"

This is your root certificate authority.


Step 3 β€” Generate Server Private Key


Step 4 β€” Create CSR (Certificate Signing Request)


Create san.cnf:


Step 6 β€” Sign Server Certificate With Your CA

Resulting files:

  • tls.key β†’ Server private key

  • tls.crt β†’ Server certificate

  • ca.crt β†’ CA certificate


PART 2 β€” Create Kubernetes TLS Secret

You can create it using kubectl command or YAML.


A. Using kubectl command


B. Using YAML (base64 required)

Encode the files:

Create nginx-tls-secret.yaml:

Apply:


PART 3 β€” Nginx TLS VIRTUAL HOST CONFIG (ConfigMap)

This ConfigMap creates a virtual host listening on port 443 with TLS:


PART 4 β€” Nginx Pod Using TLS + ConfigMap


TESTING

If using port-forward:

Then:

Output:



PART 1 β€” NGINX DEPLOYMENT (HTTPS-READY)

The Deployment mounts:

  • TLS Secret β†’ /etc/nginx/tls

  • Virtual Host ConfigMap β†’ /etc/nginx/conf.d

Apply:

Updated NGINX Virtual host config


🌐 PART 2 β€” SERVICE (EXPOSE DEPLOYMENT)

A ClusterIP is enough if you’re using an Ingress.

Apply:


PART 3 β€” INGRESS WITH TLS TERMINATION

Here your TLS certificate is used at the Ingress layer, not inside Nginx. (You can choose to keep TLS inside Nginx too β€” but this example is for Ingress TLS.)

Works with:

  • NGINX Ingress Controller

  • HAProxy

  • Traefik

  • Istio Gateway (with tweaks)


βœ” Ingress + TLS using your Secret

Apply:


Test Your HTTPS Endpoint

Update /etc/hosts:

Then test:

Expected output:

If you're using NGINX ingress controller:

Use the external IP if on a cloud platform.


OPTIONAL: MULTI-DOMAIN OR WILDCARD CERTS

Wildcard Example (*.example.com)

san.cnf:

Same process:

Ingress:


Last updated