Can I create a kubernetes secret with the kubectl command using a .pfx certificate?

Question

command below gives an error: error: flag key is required

kubectl create secret tls k8-secret2 \
    -n ingress-tls-test1 \
    --cert ingress-tls-test1.pfx

I am able to create the secret using .crt and .key file:

kubectl create secret tls aks-ingress-tls \
    --namespace ingress-basic \
    --key aks-ingress-tls.key \
    --cert aks-ingress-tls.crt

Answer 1

While creating k8s( up to v1.19) secret of type: kubernetes.io/tls, you must provide two keys; tls.key and tls.crt. If you use kubectl to create a secret, you can use --cert and --key flags to provide the values of those keys.

The public key certificate for --cert must be .PEM encoded (Base64-encoded DER format), and match the given private key for --key.

Since the .pfx certificate uses different encoding and stores all into a single encryptable file, you don't have separate certs and keys files to fulfil the requirements.

But you can create a secret of the type Opaque instead of TLS.

$ kubectl create secret generic k8-secret2 --from-file=crt.pfx=./ingress-tls-test1.pfx

Answer 2

I needed to create a kube tls secret from .pfx file today Credits to: https://adolfi.dev/blog/tls-kubernetes/

## you will enter the pfx PW on on the CMD/terminal
openssl pkcs12 -in pfx-filename.pfx -nocerts -out key-filename.key
openssl rsa -in key-filename.key -out key-filename-decrypted.key
openssl pkcs12 -in pfx-filename.pfx -clcerts -nokeys -out crt-filename.crt  ##remove clcerts to get the full chain in your cert
kubectl create secret tls your-secret-name --cert crt-filename.crt --key key-filename-decrypted.key

Answer 3

kubernetes v1.20 - you can create TLS secret imperatively:

Syntax:

kubectl create secret (command) (secret-name) (namespace) (cert) (key)

Example:

kubectl create secret tls webhook-server-tls --namespace webhook-demo --cert /root/keys/webhook-server-tls.crt --key /root/keys/webhook-server-tls.key