top of page

How to Create Certificate Signing Request in Kubernetes

Sep 30, 2025

2 min read

0

28

Background

Kubernetes allows you to utilize a public key infrastructure (PKI) for client authentication to your cluster.


You use a CertificateSigningRequest as part of this process, and either you or some other principal must approve the request.


Below is our setup

kubectl communicates with kubernetes cluster using csr
kubectl communicates with kubernetes cluster using csr

Step 1: Create a Private Key

openssl genrsa -out perry.key 3072

This will generate a private key named perry.key

openssl private key generation
openssl private key generation

Step 2: Create a Certificate Signing Request


openssl req -new -key perry.key -out perry.csr -subj "/CN=perry"

This will generate a certificate signing request named perry.csr

openssl certificate signing request generation
openssl certificate signing request generation

Step 3: Encode the CSR Document to base 64 Format


cat myuser.csr | base64 | tr -d "\n"
csr base 64 format
csr base 64 format

Step 4: Create the Certificate Signing Request in Kubernetes Cluster

Login to your Kubernetes Cluster then create a Certificate Signing Request Object. I am assuming you had already login by this time.


Open and Editor

vi certificatesigningrequest.yaml

Enter this in Editor

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: perry
spec:<Your base 64 encoded key here>
  request: 
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 86400  # one day
  usages:
  - client auth

Create the CSR Object using kubectl

kubectl apply -f certificatesigningrequest.yaml
certificate signing request object creation via kubectl
certificate signing request object creation via kubectl

Step 5: Review and Approve the Certificate Signing Request


List the CSR Object

	kubectl get csr
kubectl get csr
kubectl get csr

View the Details of Certificate

	kubectl get csr perry
view the details of csr
view the details of csr

Approve the Certificate Signing Request

kubectl certificate approve perry
approve a certificate signing request in Kubernetes
approve a certificate signing request in Kubernetes

Export the certificate from the CertificateSigningRequest object

Decode the key back to base 64

kubectl get csr perry -o jsonpath='{.status.certificate}'| base64 -d > perry-signed.crt

view approved csr object in kubernetes
view approved csr object in kubernetes

Step 6: Add the user to a Context

To test the CSR, import the approved certificate to a kubectl client. This will allow us to test successfull connection to the cluster.


Run this in one of your kubectl client

kubectl config set-credentials perry --client-key=perry.key --client-certificate=perry-signed.crt --embed-certs=true

configure certificate to kubeconfig
configure certificate to kubeconfig

Associate the User to a new Context

kubectl config set-context perry --cluster=kubernetes --user=perry
Associate the User to a new Context
Associate the User to a new Context


Step 7: Create a Role and RoleBinding

Do the following command in your cluster by administrator.


Role Creation

kubectl create role developer --verb=create --verb=get --verb=list --verb=update --verb=delete --resource=pods

Bind the Role

kubectl create rolebinding developer-binding-perry --role=developer --user=perry

Create Role and RoleBinding in Kubernetes
Create Role and RoleBinding in Kubernetes

Step 7: Test your new Context from a kubectl client


Run this command in the client kubectl

This will change the context and use the user created earlier using the certificate.

kubectl config use-context perry
switch kubernetes context
switch kubernetes context

Test a kubectl command by getting pods

kubectl get pods

As you can see, we were able to connect to the kubernetes cluster from a kubectl in a client jumphost.

kubectl get pods
kubectl get pods


bottom of page