===== SSL FULL SETUP (CA + SERVER CERT + VERIFY + TEST) =====

1. Generate CA key

openssl genrsa -out abhilash-ca.key 3072

2. Generate CA certificate

openssl req -x509 -new -nodes
-key abhilash-ca.key
-sha256 -days 3650
-out abhilash-ca.crt
-subj "/C=IN/ST=Maharashtra/L=Mumbai/O=AbhilashOrg/CN=Abhilash-Root-CA"

3. Generate server key

openssl genrsa -out server.key 3072

4. Create SAN config

cat < san.cnf
[req]
distinguished_name = dn
req_extensions = req_ext
prompt = no

[dn]
C = IN
ST = Maharashtra
L = Mumbai
O = AbhilashOrg
CN = nginx.local

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = nginx.local
DNS.2 = controlnode
IP.1 = 127.0.0.1
IP.2 = 192.168.240.140
EOF

5. Generate CSR

openssl req -new
-key server.key
-out server.csr
-config san.cnf

6. Sign certificate with CA

openssl x509 -req
-in server.csr
-CA abhilash-ca.crt
-CAkey abhilash-ca.key
-CAcreateserial
-out server.crt
-days 825
-sha256
-extensions req_ext
-extfile san.cnf

7. Verify certificate with CA

openssl verify -CAfile abhilash-ca.crt server.crt

8. Check SAN

openssl x509 -in server.crt -text -noout | grep -A1 "Subject Alternative Name"

9. Match key and cert (hash must match)

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

10. Test SSL locally

openssl s_server -key server.key -cert server.crt -accept 8443

(Run below in another terminal)

openssl s_client -connect localhost:8443

11. Create Kubernetes TLS secret

kubectl create secret tls nginx-tls
--cert=server.crt
--key=server.key

===== DONE =====