This blog post walks through a simple way to set up valid SSL certs locally for development, requires some knowledge of working with kubernetes and helm.
As a developer I have always found it frustrating to work with SSL certs. It's one of those things you do only occasionally, in production you set them up once or twice a year, and then the process can easily be forgotten (unless documented well). Generally it's done locally a bit more frequently, but I still feel as though it is a hassle. I've seen myself and other developers often take the easy way out and just skip ssl locally, which works for most cases. Sometimes though when you're working with other APIs they require a valid cert, so at one point or another during a project I end up needing to set up ssl certs locally.
Recently, I needed to do this while implementing an OAuth flow that required valid SSL certs and I found a really easy way to set it up using cert-manager, one that has already proven to be easier the next time. Cert-manager can be installed into a minikube cluster and using a kubernetes also creates a valid certificate authority that you can trust on your OS. Let's get right into it!
Start a Kubernetes cluster with minikube
Cert-manager can run in Kubernetes, locally I run minikube (although I'm sure there are others) so really the first step here is to make sure you have installed Docker desktop and Minikube. If you already know what you are doing and have a cluster locally, skip to the next section.
For docker desktop, follow the instructions on their website: https://docs.docker.com/desktop/
For minikube run these commands:
You can find more details here for how to install on minikubes website: https://minikube.sigs.k8s.io/docs/start
Once you have minikube installed, we still need to get things up and running, you will need to enable ingress in minikube and start the cluster:
When you are ready to start serving resources inside your cluster via ingress, you will need to open a tunnel to your cluster locally:
That should be everything you need to install cert-manager and create a self signed cert locally.
Install cert-manager
There are a few ways to install cert-manager, you can either install with a provided manifest from cert-manager, or with helm. I'll cover installing using the provided manifest here, because it's what I did in my local minikube cluster and I didn't need any customization. You can see more about installing on the cert-manager documentation.
Run the following command on your local cluster:
For this one, you will want to make sure to use the latest (v1.18.2 as of this writing), you can see the versions here: https://cert-manager.io/docs/releases/.
Set Up Your Cluster Issuer
You must create a certificate authority and trust certs generated from the authority. So we'll do that with the script below. This script first creates a self signed issuer, then creates a certificate authority using the cluster issuer, and then a cluster issuer that generates certs using the certificate authority. Simply run apply on the manifest below, from it we'll be able to get the certificate authority we need trust:
Once cert-manager is finished you will need to extract the certificate authority cert and add it to your operating system as a trusted certificate. You can save the certificate for your cluster by using this command:
The selfsigned-ca file should look something like this:
I won't go into detail on how to trust the certificate on your OS, but it's not too hard and I can point you in the right direction: mac, ubuntu, and windows.
Create a Certificate
Once you've trusted your certificate, you should be able to create certs in your cluster, here's an example I use on this website to do that working locally:
And if you wanted to just create a certificate that you can use in multiple places, you can do it this way:
Conclusion
Now you know how to create a certificate authority and trust the certificate locally! We've installed Kubernetes with minikube, set up a trusted certificate authority, and used a cluster issuer to dynamically create an SSL cert. I have found this method of working with SSL during development easier to deal with than other methods where you have to pass around certs for different domains locally, using cert-manager you just have to work with the certificate authority cert, and apply Kubernetes manifest files and everything happens in the background for you.