bookmark_borderCertificates API in Kubernetes

What is the Certificate Authority Server and where is it located in the Kubernetes.

The CA is really just a pair of key and certificate files we have generated. Whoever gains access to these pair of files, can sign any certificate for the Kubernetes environment. They can create as many users as they want but whatever privileges they what. So these files need to be protected and stored in a safe environment say we place them on a server that is fully secure. Now that server becomes your CA server. The certificate key file is safely stored in that server and only on that server every time you want to sign a certificate you can only do it by logging into that server. If the certificates placed on the Kubernetes master node itself, the master node is also our CA server. The Kubeadm tool does the same thing. It creates a CA pair of files and stores that on the master node itself.

It is a better-automated way to manage the certificate signing requests as well as to rotate certificates when they expire. Kubernetes has a built-in Certificates API that can do this for you.

With the Certificates API, you now send a Certificate SigningRequest directly to Kubernetes through an API call. This time, when the administrator receives a certificate signing request instead of logging onto the master node and signing the certificate. an administrator creates a Kubernetes API object called CertificateSigningRequest. Once the object is created all certificates any requests can be seen by administrators of the cluster. The request can be reviewed and approved easily using kubectl commands this certificate can then be extracted and shared with the user.

  1. A user first creates a key.
$ openssl genrsa -out me.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................................................................................................................+++
e is 65537 (0x10001)

2. Generates a certificate signing request using the key with key name in it.

$ openssl req -new -key me.key -subj "/CN=me" -out me.csr

3. Send the request to the administrator.

4. The administrator takes the key and creates a CertificateSigningRequest object. CertificateSigningRequest is created like any other Kubernetes object using a manifest file with the usual fields. The kind is CertificateSigningRequest. Under the spec section, specify the groups the user should be part of and list the usages of the account as a list of strings the request field is where you specify the certificate signing request sent by the user but you do not specify it as plain text instead it must be encoded using the base64 command.

$ cat me.csr | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1VqQ0NBVG9DQVFBd0RURUxN
QWtHQTFVRUF3d0NiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJB
UURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltCmdWcUY4
T0cxRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9m
Wm8KWGVKU25Da1JycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytv
R3V4U0M5WTFFcwpmem9xZkxNaXozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBY
NEp6SVNtRi9rd0R2b1lkaklQCm5iN2MySU85Y1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5F
d0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzUKWmQvNmxRZG04R0I0ZCtEYkwzc0ZLUGtCSHZSdW1J
T0hTYWdmQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXhMb2YxaFNFK3FVSFRl
VjgxVWxhaEd5dllKQmh4SXRobExZa1VvblpHL3FDU3BVRnRyL3lNbHd5CnJNSlZjSjE0VG1pdUw2
b0JmN1A2MlZlU0lzdmF2a05CaE1rYkpmcW1uUDhTWStCZkh3ZzRzY0VYdTZka0FZN3EKYzVSSTZa
QVNYaFNLS1BhT1VKd0oyUUFINXcva3VNU1ZTQWIrT0pDRTR6Nk5GUXgxZWdSSW1Zay9sY2h6Y05V
cgpPSTliWlNjbEpMdHNCcVh2V2pTNGI3WXdzT0dmb1loU1VGNXNGVW42c21sMUN0L3F6c0dkbnhs
TDR1K0x0MllGCnhxT0VubXJ5eTNZNjBQZ0Z4NGhYWU5BTENVVGo3andORTNzS1l4N2MrU2RqeVNy
S1RpdFJ6VW01UUpBR3YxSEYKQkZESXFSZ1N4UDFWRWZQNkpRMUdUd2pBYkFDbjFBPT0KLS0tLS1F
TkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: me
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1VqQ0NBVG9DQVFBd0RURUxNQWtHQTFVRUF3d0NiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltCmdWcUY4T0cxRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9mWm8KWGVKU25Da1JycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytvR3V4U0M5WTFFcwpmem9xZkxNaXozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBYNEp6SVNtRi9rd0R2b1lkaklQCm5iN2MySU85Y1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5Fd0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzUKWmQvNmxRZG04R0I0ZCtEYkwzc0ZLUGtCSHZSdW1JT0hTYWdmQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXhMb2YxaFNFK3FVSFRlVjgxVWxhaEd5dllKQmh4SXRobExZa1VvblpHL3FDU3BVRnRyL3lNbHd5CnJNSlZjSjE0VG1pdUw2b0JmN1A2MlZlU0lzdmF2a05CaE1rYkpmcW1uUDhTWStCZkh3ZzRzY0VYdTZka0FZN3EKYzVSSTZaQVNYaFNLS1BhT1VKd0oyUUFINXcva3VNU1ZTQWIrT0pDRTR6Nk5GUXgxZWdSSW1Zay9sY2h6Y05VcgpPSTliWlNjbEpMdHNCcVh2V2pTNGI3WXdzT0dmb1loU1VGNXNGVW42c21sMUN0L3F6c0dkbnhsTDR1K0x0MllGCnhxT0VubXJ5eTNZNjBQZ0Z4NGhYWU5BTENVVGo3andORTNzS1l4N2MrU2RqeVNyS1RpdFJ6VW01UUpBR3YxSEYKQkZESXFSZ1N4UDFWRWZQNkpRMUdUd2pBYkFDbjFBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUNxTThxaHprV0NTS2lvYXh6SkYycDU5V05PUVg1ekRhV0xSQ3JkQ3lqY0pGaGxaV1kxCkoyTDlRTzZibWlkdWtLL0lreFBHZ1FUM1FxN3dkMStMT0QxUEpJUktXWTVNdGRwWUUxRENMeERzOHZwRmhWY2QKSGxCR1E0QVdQUkk0dmVXZHFmR3I5blBCNGxTME0vSjVhMXhQVkhiZDFsODRUbmFQcFdXTVdnZ09iakRiWEU2UgphdEsyd1Fhd21NemN0MVIraFh4NEZ0bkJzTm51bTNvNnNmL3lzWmQ0d3pXQitGSjBOVGdCZDF2cG0xaGg3RTMrCitMdVFkSjh6YVZwd2tDYXVpVVN4ZmZPc2VqL0hTNzFETHlaY0l0YzFkN29FY1kxUW9XSGQ4Y293S3BBYWdtNmQKdXE5MW1GaUpaUlJMSkZjUXVwc1RQbWFyMzVqZzV1U1ZDMjN6QWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQWlFMFpNcjB0RmlmR3c3elE5ajRmWmQ3ZFhhNUdCQytKTU9XTVVpVEc1dWowNEhxVjlXWWlSeWp6CjMyZHRaSVQ4aExvMklDMElnQWt4UjVEUnR1S2hMa0k3Y3htSGZoSUYxYXBtV0ZyQWc0eFZPelNMdi84NTJkK3IKRnFNOG9mOHpUMFFKc1JldW43WVNhRnVGREhNZlQ0L0RNajNvNWYrV0JMZHFJN04xdVZQelpra2o4d3hwaGE5NApvd1oyVkdram94QWZGTityVEx0NlNOUlNVcU5WZ3JrT0hlWng5Q3cxMkkzeGI0dGFYU1lPMHB1VFJPMVpZTTRPCmNaakpTOW84anBxVGJzbFVCUHhpbWFuV3duYnVWejRrQXo0VnV6N1lwOFJFVHdDbFJLNUljR0liR2J0aGgxeGgKdzlhL2RRVDkrSy9TbzlMb3YwU2xRYW1Sbzlja01RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==

Once the object is created, all certificate signing requests can be seen by administrators by running the kubectl get csr

$ kubectl apply -f me-csr.yaml
certificatesigningrequest.certificates.k8s.io/me created
vagrant@kubemaster:~$ kubectl get csr
NAME   AGE   SIGNERNAME                            REQUESTOR          CONDITION
me     29s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending

and the approve the request by running the kubectl certificate approve command.

$ kubectl certificate approve me
certificatesigningrequest.certificates.k8s.io/me approved

Kubernetes signs the certificate using the CA key pairs and generates a certificate for the user. This certificate can be extracted and shared with the user view the certificate by viewing it in.

$ kubectl get csr me -o yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"certificates.k8s.io/v1","kind":"CertificateSigningRequest","metadata":{"annotations":{},"name":"me"},"spec":{"groups":["system:authenticated"],"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1VqQ0NBVG9DQVFBd0RURUxNQWtHQTFVRUF3d0NiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltCmdWcUY4T0cxRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9mWm8KWGVKU25Da1JycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytvR3V4U0M5WTFFcwpmem9xZkxNaXozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBYNEp6SVNtRi9rd0R2b1lkaklQCm5iN2MySU85Y1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5Fd0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzUKWmQvNmxRZG04R0I0ZCtEYkwzc0ZLUGtCSHZSdW1JT0hTYWdmQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXhMb2YxaFNFK3FVSFRlVjgxVWxhaEd5dllKQmh4SXRobExZa1VvblpHL3FDU3BVRnRyL3lNbHd5CnJNSlZjSjE0VG1pdUw2b0JmN1A2MlZlU0lzdmF2a05CaE1rYkpmcW1uUDhTWStCZkh3ZzRzY0VYdTZka0FZN3EKYzVSSTZaQVNYaFNLS1BhT1VKd0oyUUFINXcva3VNU1ZTQWIrT0pDRTR6Nk5GUXgxZWdSSW1Zay9sY2h6Y05VcgpPSTliWlNjbEpMdHNCcVh2V2pTNGI3WXdzT0dmb1loU1VGNXNGVW42c21sMUN0L3F6c0dkbnhsTDR1K0x0MllGCnhxT0VubXJ5eTNZNjBQZ0Z4NGhYWU5BTENVVGo3andORTNzS1l4N2MrU2RqeVNyS1RpdFJ6VW01UUpBR3YxSEYKQkZESXFSZ1N4UDFWRWZQNkpRMUdUd2pBYkFDbjFBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","signerName":"kubernetes.io/kube-apiserver-client","usages":["client auth"]}}
  creationTimestamp: "2020-12-29T12:43:52Z"
  managedFields:
  - apiVersion: certificates.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        f:groups: {}
        f:request: {}
        f:signerName: {}
        f:usages: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2020-12-29T12:43:52Z"
  - apiVersion: certificates.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:certificate: {}
    manager: kube-controller-manager
    operation: Update
    time: "2020-12-29T12:57:04Z"
  - apiVersion: certificates.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        f:conditions:
          .: {}
          k:{"type":"Approved"}:
            .: {}
            f:lastTransitionTime: {}
            f:lastUpdateTime: {}
            f:message: {}
            f:reason: {}
            f:status: {}
            f:type: {}
    manager: kubectl
    operation: Update
    time: "2020-12-29T12:57:04Z"
  name: me
  resourceVersion: "633717"
  selfLink: /apis/certificates.k8s.io/v1/certificatesigningrequests/me
  uid: 7d4c1737-aa91-42e0-a750-06e9d550c4b6
spec:
  groups:
  - system:masters
  - system:authenticated
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1VqQ0NBVG9DQVFBd0RURUxNQWtHQTFVRUF3d0NiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltCmdWcUY4T0cxRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9mWm8KWGVKU25Da1JycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytvR3V4U0M5WTFFcwpmem9xZkxNaXozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBYNEp6SVNtRi9rd0R2b1lkaklQCm5iN2MySU85Y1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5Fd0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzUKWmQvNmxRZG04R0I0ZCtEYkwzc0ZLUGtCSHZSdW1JT0hTYWdmQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXhMb2YxaFNFK3FVSFRlVjgxVWxhaEd5dllKQmh4SXRobExZa1VvblpHL3FDU3BVRnRyL3lNbHd5CnJNSlZjSjE0VG1pdUw2b0JmN1A2MlZlU0lzdmF2a05CaE1rYkpmcW1uUDhTWStCZkh3ZzRzY0VYdTZka0FZN3EKYzVSSTZaQVNYaFNLS1BhT1VKd0oyUUFINXcva3VNU1ZTQWIrT0pDRTR6Nk5GUXgxZWdSSW1Zay9sY2h6Y05VcgpPSTliWlNjbEpMdHNCcVh2V2pTNGI3WXdzT0dmb1loU1VGNXNGVW42c21sMUN0L3F6c0dkbnhsTDR1K0x0MllGCnhxT0VubXJ5eTNZNjBQZ0Z4NGhYWU5BTENVVGo3andORTNzS1l4N2MrU2RqeVNyS1RpdFJ6VW01UUpBR3YxSEYKQkZESXFSZ1N4UDFWRWZQNkpRMUdUd2pBYkFDbjFBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  username: kubernetes-admin
status:
  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lRUzNwOGEzWUNNNGVGNXc1aVlNSEZnakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl3TVRJeU9URXlOVEl3TkZvWERUSXhNVEl5T1RFeQpOVEl3TkZvd0RURUxNQWtHQTFVRUF4TUNiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltZ1ZxRjhPRzEKRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9mWm9YZUpTbkNrUgpycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytvR3V4U0M5WTFFc2Z6b3FmTE1pCnozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBYNEp6SVNtRi9rd0R2b1lkaklQbmI3YzJJTzkKY1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5Fd0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzVaZC82bFFkbQo4R0I0ZCtEYkwzc0ZLUGtCSHZSdW1JT0hTYWdmQWdNQkFBR2pSakJFTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGCkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVHZkk4OWF2T2pUaUdMUld5enpWZGR4ZEUKSTZVd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGaXlMWmJjVmRNamtyQ3doYTdFdjN3SG0wU1VYbzFGdlZjdApUelpnejNCSXRxb3BsTzczZE85TXpTNWNVUjk0b2t4MWVBYVNTVmNsS0JpdWVsenFsVDFHZnNuZ2JIYTRuN1A4CkZQb2NKemdZVVBGV2lxWjh5dVFENXB4YUh3NUJRYjRCUGtpUWFmcy9XTFlJYWVzOG5CMjJjek92WXNld1FUOFoKakFWbFI1ckk4MGJGRm5CRnRESlRMQ0ZSeUFhYi9MdFZwLzhGWHI3RVh2anVvTXdaTC9nYlNJdWF0L1dsOWhYVwpibk5mVFZudmx5VkpQWGFCOGUyVWlQUjFnUklsUmhPRExoNE16ZU9hYlhncDYxbmhYWTVETTMyVWJ2VkR0UWttCldRQ1k4Uk9yYVdZOUpCSTFZQlhYeDhMOHFFZUxtalBLaUF6UW5xTnRSQU5sYStmZ21OND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  conditions:
  - lastTransitionTime: "2020-12-29T12:57:04Z"
    lastUpdateTime: "2020-12-29T12:57:04Z"
    message: This CSR was approved by kubectl certificate approve.
    reason: KubectlApprove
    status: "True"
    type: Approved

base64 –decode with

$ echo LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lRUzNwOGEzWUNNNGVGNXc1aVlNSEZnakFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl3TVRJeU9URXlOVEl3TkZvWERUSXhNVEl5T1RFeQpOVEl3TkZvd0RURUxNQWtHQTFVRUF4TUNiV1V3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURQOTh5bTZubXNTTjdFb2FVWFE3bXR6RDhJUEdzUDJ6QlJZNEZxcFQxdEN5NHFsd0ltZ1ZxRjhPRzEKRnRPSzNTenhkSXhKQk9Na0pOTG9wWkpOSjFkNWMxMHcxRkFjOVRQVDAyMEdBQ3M4UjNsci9mWm9YZUpTbkNrUgpycHoxY0w5TDJZeU8vekNRRmhHWFV1VUllRWI2eEhOeUtMS2NEb3IvdkNJcytvR3V4U0M5WTFFc2Z6b3FmTE1pCnozd2pmSGJpNS9FV2JrcGozRkovR29ZS2NIbHVQalRmMDU3UTBYNEp6SVNtRi9rd0R2b1lkaklQbmI3YzJJTzkKY1JHNEpXa1pLNGZZYjlQT2dQZElrRWtYMFZBZU5Fd0poRkVBODVHeDZHaEZwZTJVOSttbVJ6RzVaZC82bFFkbQo4R0I0ZCtEYkwzc0ZLUGtCSHZSdW1JT0hTYWdmQWdNQkFBR2pSakJFTUJNR0ExVWRKUVFNTUFvR0NDc0dBUVVGCkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVHZkk4OWF2T2pUaUdMUld5enpWZGR4ZEUKSTZVd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGaXlMWmJjVmRNamtyQ3doYTdFdjN3SG0wU1VYbzFGdlZjdApUelpnejNCSXRxb3BsTzczZE85TXpTNWNVUjk0b2t4MWVBYVNTVmNsS0JpdWVsenFsVDFHZnNuZ2JIYTRuN1A4CkZQb2NKemdZVVBGV2lxWjh5dVFENXB4YUh3NUJRYjRCUGtpUWFmcy9XTFlJYWVzOG5CMjJjek92WXNld1FUOFoKakFWbFI1ckk4MGJGRm5CRnRESlRMQ0ZSeUFhYi9MdFZwLzhGWHI3RVh2anVvTXdaTC9nYlNJdWF0L1dsOWhYVwpibk5mVFZudmx5VkpQWGFCOGUyVWlQUjFnUklsUmhPRExoNE16ZU9hYlhncDYxbmhYWTVETTMyVWJ2VkR0UWttCldRQ1k4Uk9yYVdZOUpCSTFZQlhYeDhMOHFFZUxtalBLaUF6UW5xTnRSQU5sYStmZ21OND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | base64 --decode
-----BEGIN CERTIFICATE-----
MIIC8jCCAdqgAwIBAgIQS3p8a3YCM4eF5w5iYMHFgjANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIwMTIyOTEyNTIwNFoXDTIxMTIyOTEy
NTIwNFowDTELMAkGA1UEAxMCbWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDP98ym6nmsSN7EoaUXQ7mtzD8IPGsP2zBRY4FqpT1tCy4qlwImgVqF8OG1
FtOK3SzxdIxJBOMkJNLopZJNJ1d5c10w1FAc9TPT020GACs8R3lr/fZoXeJSnCkR
rpz1cL9L2YyO/zCQFhGXUuUIeEb6xHNyKLKcDor/vCIs+oGuxSC9Y1EsfzoqfLMi
z3wjfHbi5/EWbkpj3FJ/GoYKcHluPjTf057Q0X4JzISmF/kwDvoYdjIPnb7c2IO9
cRG4JWkZK4fYb9POgPdIkEkX0VAeNEwJhFEA85Gx6GhFpe2U9+mmRzG5Zd/6lQdm
8GB4d+DbL3sFKPkBHvRumIOHSagfAgMBAAGjRjBEMBMGA1UdJQQMMAoGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUGfI89avOjTiGLRWyzzVddxdE
I6UwDQYJKoZIhvcNAQELBQADggEBAFiyLZbcVdMjkrCwha7Ev3wHm0SUXo1FvVct
TzZgz3BItqoplO73dO9MzS5cUR94okx1eAaSSVclKBiuelzqlT1GfsngbHa4n7P8
FPocJzgYUPFWiqZ8yuQD5pxaHw5BQb4BPkiQafs/WLYIaes8nB22czOvYsewQT8Z
jAVlR5rI80bFFnBFtDJTLCFRyAab/LtVp/8FXr7EXvjuoMwZL/gbSIuat/Wl9hXW
bnNfTVnvlyVJPXaB8e2UiPR1gRIlRhODLh4MzeOabXgp61nhXY5DM32UbvVDtQkm
WQCY8ROraWY9JBI1YBXXx8L8qEeLmjPKiAzQnqNtRANla+fgmN4=
-----END CERTIFICATE-----

This can be shared with the end user.

Lastly, all the certificate related operations are carried out by the controller manager.

ANOTE.DEV