Now that you have the prerequisites met, follow the steps below to create the TLS certificates that Azure Application Gateway will serve for clients connecting to your workload as well as the certificate your Kubernetes ingress controller will expose. If you already have access to appropriate certificates, or can procure them from your organization, consider doing so and skipping the certificate generation steps. The following will describe using a self-signed certs for instructive purposes only.
To support end-to-end TLS encryption, the following TLS certificates are procured.
Common Name | Purpose | Notes |
---|---|---|
bicycle.contoso.com |
Attached to the public IP on the Application Gateway | This is client-facing for the endpoint your workload will respond at. Typically this will be an EV certificate generated by a public CA. |
*.aks-ingress.contoso.com |
Attached to the ingress controller in the cluster | This is not client-facing and doesn't need to be procured by a public CA. This provides TLS encryption between Application Gateway and your ingress controller. |
-
Create the certificate for Azure Application Gateway with a common name of
bicycle.contoso.com
.openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out appgw.crt -keyout appgw.key -subj "/CN=bicycle.contoso.com/O=Contoso Bicycle" openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass:
-
Base64 encode the client-facing certificate.
💡 No matter if you used a certificate from your organization or you generated one from above, you'll need the certificate (as
.pfx
) to be Base64 encoded for proper storage in Key Vault later.APP_GATEWAY_LISTENER_CERTIFICATE_BASE64=$(cat appgw.pfx | base64 | tr -d '\n')
-
Generate the certificate for the ingress controller with a common name of
*.aks-ingress.contoso.com
.openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out ingress-internal-aks-ingress-contoso-com-tls.crt -keyout ingress-internal-aks-ingress-contoso-com-tls.key -subj "/CN=*.aks-ingress.contoso.com/O=Contoso AKS Ingress" # Combined as PEM structure (required by Azure Application Gateway for backend pools) cat ingress-internal-aks-ingress-contoso-com-tls.crt ingress-internal-aks-ingress-contoso-com-tls.key > ingress-internal-aks-ingress-contoso-com-tls.pem
-
Base64 encode the ingress controller certificate.
💡 No matter if you used a certificate from your organization or you generated one from above, you'll need the public certificate (as
.crt
or.cer
) to be Base64 encoded for proper storage in Key Vault later.INGRESS_CONTROLLER_CERTIFICATE_BASE64=$(cat ingress-internal-aks-ingress-contoso-com-tls.crt | base64 | tr -d '\n')