SSL/TLS Fundamentals

The cryptographic protocol that secures the modern internet — from browser connections to Kubernetes API servers. Synthesized from TLS Explained Simply.

What Is TLS?

TLS (Transport Layer Security) is the successor to SSL (Secure Sockets Layer). It is a protocol that operates between the transport layer (TCP) and the application layer (HTTP), providing three security guarantees:

GuaranteeWhat It MeansAttack It Prevents
EncryptionOnly the intended recipient can read the dataEavesdropping, packet sniffing
AuthenticationThe client verifies the server’s identityMan-in-the-middle, impersonation
IntegrityData cannot be altered in transit without detectionTampering, replay attacks

Terminology Note: SSL 2.0 and 3.0 are deprecated and insecure. All modern systems use TLS 1.2 or TLS 1.3. In practice, people still say “SSL certificate” when they mean “TLS certificate.” Source: CKA Day 20


The TLS Handshake

Before any application data is exchanged, the client and server perform a handshake to negotiate encryption parameters and authenticate each other.

TLS 1.2 Handshake (Full)

Client                                          Server
   │                                               │
   │────── ClientHello ────────────────────────────▶│
   │  (TLS version, supported cipher suites,       │
   │   random nonce, compression methods)           │
   │                                               │
   │◀───── ServerHello ────────────────────────────│
   │  (Chosen TLS version & cipher suite,          │
   │   server random nonce)                         │
   │◀───── Certificate ─────────────────────────────│
   │  (Server's X.509 certificate chain)            │
   │◀───── ServerKeyExchange (optional) ──────────│
   │  (For DHE/ECDHE key exchange)                  │
   │◀───── ServerHelloDone ────────────────────────│
   │                                               │
   │────── ClientKeyExchange ──────────────────────▶│
   │  (Pre-master secret encrypted with server's    │
   │   public key)                                  │
   │────── ChangeCipherSpec ───────────────────────▶│
   │  ("I will now use encrypted communication")    │
   │────── Finished (encrypted handshake hash) ────▶│
   │                                               │
   │◀───── ChangeCipherSpec ───────────────────────│
   │◀───── Finished ───────────────────────────────│
   │                                               │
   │========== Encrypted Application Data ==========│

TLS 1.3 Handshake (Simplified)

TLS 1.3 reduces the handshake to a single round trip (1-RTT) by combining key exchange with the initial hello:

Client                                          Server
   │                                               │
   │────── ClientHello + KeyShare ─────────────────▶│
   │                                               │
   │◀───── ServerHello + KeyShare + EncryptedExt ──│
   │◀───── {Certificate + Finished} ───────────────│
   │  (Everything after ServerHello is encrypted)    │
   │                                               │
   │────── {Finished + Application Data} ────────────▶│

Key Improvement: In TLS 1.3, the server’s certificate is already encrypted, and the handshake completes in one fewer round trip. This improves both speed and privacy.


Cryptographic Building Blocks

Asymmetric Cryptography (Public/Private Keys)

AspectDetail
KeysTwo mathematically related keys: public (shared freely) and private (kept secret)
EncryptionAnyone can encrypt with the public key; only the private key holder can decrypt
AuthenticationOnly the private key holder can sign; anyone with the public key can verify the signature
AlgorithmsRSA (legacy), ECDSA (elliptic curve, faster, smaller keys), Ed25519 (modern)
SpeedSlow — used only during the handshake

Symmetric Cryptography (Shared Secret)

AspectDetail
KeysOne key shared between both parties after the handshake
EncryptionSame key encrypts and decrypts
AlgorithmsAES-GCM, AES-CBC, ChaCha20-Poly1305
SpeedFast — used for all bulk data encryption during the session

Why Both?

Asymmetric cryptography solves the key distribution problem (how do two strangers agree on a secret?), but it is too slow for encrypting large amounts of data. TLS uses asymmetric crypto only to bootstrap the connection; once both sides agree on a shared symmetric key, all application data flows over fast symmetric encryption.


Certificates and the PKI Ecosystem

What Is a TLS Certificate?

A TLS certificate is a digital document that binds a public key to an identity (domain name, organization name). It follows the X.509 standard and contains:

FieldPurpose
SubjectIdentity of the certificate owner (CN, O, OU, L, ST, C)
Subject Alternative Name (SAN)List of DNS names and IP addresses the certificate is valid for
Public KeyThe owner’s public key for encryption/verification
IssuerThe Certificate Authority that signed this certificate
Validity PeriodNot Before / Not After dates
Serial NumberUnique identifier for revocation tracking
SignatureThe CA’s digital signature proving authenticity

Certificate Authorities (CAs)

A Certificate Authority is a trusted organization that signs certificates, vouching that the public key belongs to the claimed identity.

CA TypeExamplesUse Case
Public CAsLet’s Encrypt, DigiCert, SectigoPublic-facing websites and APIs
Private/Enterprise CAsActive Directory Certificate Services, HashiCorp VaultInternal services, microservices mTLS
Self-SignedGenerated with openssl req -x509Development, testing, controlled trust stores

The Trust Chain

┌─────────────────┐
│   Root CA       │  ← Trusted by browsers/OS (pre-installed)
│   (Self-signed) │
└────────┬────────┘
         │ signs
┌────────▼────────┐
│ Intermediate CA  │
└────────┬────────┘
         │ signs
┌────────▼────────┐
│  Server Cert     │  ← Presented by the website/API
│  (example.com)   │
└─────────────────┘

Validation steps:

  1. Server presents its certificate + any intermediate certificates
  2. Client builds a chain from the server cert up to a trusted root CA
  3. Client verifies each signature in the chain
  4. Client checks expiry, hostname match (SAN), and revocation status (CRL/OCSP)

Self-Signed Certificates

A self-signed certificate is signed by its own private key rather than a CA. No third party vouches for it.

# Generate a self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem \
  -days 365 -nodes -subj "/CN=localhost"
Use CaseRationale
Development / Local testingNo public CA needed; add to local trust store
Kubernetes bootstrapkubeadm generates a self-signed CA for cluster internal trust
Private PKIYou control the trust store (enterprise CA replacement)

Warning: Browsers and standard HTTP clients reject self-signed certificates unless explicitly configured to trust them. Never use self-signed certs for public-facing production services.


TLS in Kubernetes

TLS is woven throughout the Kubernetes control plane and data plane:

ComponentTLS Role
kube-apiserverServes HTTPS on port 6443; validates client certificates from kubelets and users
etcdPeer-to-peer TLS between etcd members; client TLS for API server connections
kubeletUses client certificates (issued by cluster CA) to authenticate to the API server
kube-controller-manager / kube-schedulerCommunicate with API server over HTTPS with client certs
Ingress ControllersTerminate TLS at the cluster edge; route plain HTTP to backend Services
Service Mesh (Istio/Linkerd)mTLS between all Pod-to-Pod traffic inside the cluster
kubernetes.io/tls SecretStores certificate + key pairs for Ingress, webhooks, and admission controllers

Kubernetes TLS Secret Type

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTi...  # base64-encoded certificate
  tls.key: LS0tLS1CRUdJTi...   # base64-encoded private key

Exam Tip: The tls.crt field must contain the full certificate chain (server cert + intermediates), not just the leaf certificate. Source: CKA Day 19


Cipher Suites

A cipher suite is a named combination of algorithms used during the handshake and session:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
│     │    │   │    │      │     │
│     │    │   │    │      │     └── MAC / PRF algorithm
│     │    │   │    │      └──────── Symmetric encryption mode
│     │    │   │    └─────────────── Symmetric encryption algorithm
│     │    │   └──────────────────── Key exchange algorithm
│     │    └──────────────────────── Authentication (signature) algorithm
│     └───────────────────────────── Key exchange type (Ephemeral Diffie-Hellman)
└─────────────────────────────────── Protocol version

Modern recommendations:

  • Prefer ECDHE or DHE for forward secrecy (ephemeral keys — compromise of long-term key does not decrypt past sessions)
  • Prefer AES-GCM or ChaCha20-Poly1305 for authenticated encryption
  • Avoid RSA key exchange (no forward secrecy) and CBC modes (padding oracle risks)

TLS 1.3 simplifies this by eliminating obsolete cipher suites entirely and offering only a small, modern set.


Certificate Management Tools

ToolPurpose
opensslSwiss army knife: generate keys, CSRs, certificates, inspect PEM files
cert-managerKubernetes-native certificate provisioning (Let’s Encrypt, Vault, self-signed)
Let’s EncryptFree, automated public CA with ACME protocol
cfssl / cfssljsonCloudFlare’s PKI toolkit — popular in Kubernetes bootstrap scripts
HashiCorp VaultDynamic secrets, PKI engine for internal certificate issuance

Essential openssl Commands

# Inspect a certificate
openssl x509 -in cert.pem -text -noout
 
# Check expiry date
openssl x509 -in cert.pem -noout -dates
 
# Verify certificate chain
openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt
 
# Generate a private key + CSR
openssl req -newkey rsa:2048 -keyout key.pem -out csr.pem -nodes
 
# Check which certificate a server presents
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -text -noout

TLS Version Evolution

VersionYearStatus
SSL 1.01994Never publicly released
SSL 2.01995Deprecated, insecure
SSL 3.01996Deprecated (POODLE attack)
TLS 1.01999Deprecated (BEAST attack)
TLS 1.12006Deprecated
TLS 1.22008Widely supported; minimum acceptable today
TLS 1.32018Latest; faster handshake, fewer cipher suites, encrypted SNI

Troubleshooting Matrix

SymptomLikely CauseDiagnostic
curl: (60) SSL certificate problemSelf-signed or expired cert; missing CA in trust storeopenssl s_client -connect host:443
x509: certificate has expiredCertificate past Not After dateopenssl x509 -in cert.pem -noout -dates
x509: certificate signed by unknown authorityMissing intermediate CA in chain; untrusted rootopenssl verify -CAfile ca.crt cert.pem
x509: certificate is valid for ...Hostname mismatch (SAN/CN does not match URL)openssl x509 -in cert.pem -noout -subject -ext subjectAltName
Kubernetes API server unreachableExpired API server certificateCheck /etc/kubernetes/pki/apiserver.crt expiry
Pod ImagePullBackOff with registryRegistry TLS cert expired/invalidopenssl s_client -connect registry:443

CKA Exam Relevance

While the CKA exam does not require building a CA from scratch, TLS appears in multiple exam tasks:

  • Cluster Architecture (~25%): Understand that API server, etcd, and kubelets all use TLS certificates stored in /etc/kubernetes/pki/
  • Troubleshooting (~30%): Expired certificates are a common failure mode. Know how to check certificate validity with openssl
  • Workloads: kubernetes.io/tls Secrets are used for Ingress and admission webhooks
  • Certificate rotation: kubeadm-managed clusters store certs in /etc/kubernetes/pki/; know how to renew them


Kubernetes Certificate Management

Practical certificate operations inside a Kubernetes cluster — CertificateSigningRequests, kubeadm PKI, and certificate renewal. Synthesized from CKA Day 21 — Manage TLS Certificates In a Kubernetes Cluster.

The Kubernetes PKI Directory

kubeadm bootstraps a complete PKI under /etc/kubernetes/pki/:

FilePurpose
ca.crt / ca.keyCluster root CA — signs all component certificates
apiserver.crt / apiserver.keyAPI server HTTPS serving cert (port 6443)
apiserver-kubelet-client.crt / .keyAPI server client cert for kubelet auth
etcd/ca.crt / etcd/ca.keyetcd’s independent CA
etcd/server.crt / .keyetcd server serving cert
etcd/peer.crt / .keyetcd peer-to-peer mTLS
front-proxy-ca.crt / .keyAggregator proxy CA (for extension API servers)
sa.pub / sa.keyServiceAccount token signing key pair

Exam Trap: /etc/kubernetes/pki/ is owned by root with 600/644 permissions. If you accidentally delete ca.key, you cannot sign new certificates and must rebuild the PKI from scratch. Source: CKA Day 21

The CertificateSigningRequest (CSR) API

Kubernetes has a native CSR object (certificates.k8s.io/v1) that lets users or automation request signed certificates without direct access to the CA private key.

Use cases:

  • Onboarding new kubectl users with client certificates
  • Issuing certs for admission webhooks or custom controllers
  • Automating kubelet client certificate rotation

The CSR lifecycle:

User                        Kubernetes API              CA Signer
  │                              │                         │
  │── Generate key + CSR ──────▶│                         │
  │── Create CSR object ────────▶│                         │
  │                              │─── Pending ─────────────▶│
  │                              │◀── Admin approves ───────│
  │◀── Retrieve signed cert ────│◀── Signed cert stored ──│

Creating and Approving a CSR (CKA Pattern)

# 1. Generate private key
openssl genrsa -out developer.key 2048
 
# 2. Create CSR with CN and O fields
openssl req -new -key developer.key -out developer.csr \
  -subj "/CN=developer/O=engineering"
 
# 3. Base64 encode the CSR (remove newlines for YAML)
cat developer.csr | base64 | tr -d '\n'
 
# 4. Create the Kubernetes CSR object
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: developer-csr
spec:
  request: <base64-encoded-csr>
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth
  expirationSeconds: 86400  # 1 day
EOF
 
# 5. Check status
kubectl get csr developer-csr
 
# 6. Approve (admin action)
kubectl certificate approve developer-csr
 
# 7. Extract the signed certificate
kubectl get csr developer-csr -o jsonpath='{.status.certificate}' \
  | base64 -d > developer.crt

Signer Names

Kubernetes 1.19+ requires an explicit signerName. Built-in signers:

Signer NameIssuesBest For
kubernetes.io/kube-apiserver-clientClient certificatesHuman users, service accounts, webhook clients
kubernetes.io/kube-apiserver-client-kubeletClient certificatesKubelet client auth (auto-rotated)
kubernetes.io/kubelet-servingServing certificatesKubelet HTTPS serving (server auth)
kubernetes.io/legacy-unknownLegacy compatibilityAvoid in production

Exam Trap: A CSR without a valid signerName will not be processed. If kubectl get csr shows Pending indefinitely, check that signerName is set correctly. Source: CKA Day 21

Certificate Expiry and Renewal

Check expiry (essential exam skill):

# All kubeadm-managed certificates
kubeadm certs check-expiration
 
# Single certificate with openssl
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -dates
 
# Decode and inspect
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

Renew certificates:

# Renew all certificates
kubeadm certs renew all
 
# Renew a specific certificate
kubeadm certs renew apiserver
kubeadm certs renew apiserver-kubelet-client
kubeadm certs renew front-proxy-client

Critical Step: After renewing API server, etcd, or controller-manager certificates, you must restart the corresponding static Pod so it picks up the new certificate files from disk. kubelet auto-restarts static Pods when their manifest changes, but if only the cert file changed, you may need to move the manifest out and back in, or restart the node. Source: CKA Day 21

Auto-approval: In managed Kubernetes (EKS, GKE, AKS), node certificate bootstrapping uses the Node auto-approval controller. New nodes request a kubelet client cert via CSR; the controller approves it automatically if the node is authorized.

From Signed Certificate to TLS Secret

After extracting a signed certificate, store it in a Secret for workload consumption:

# From PEM files
kubectl create secret tls my-tls-secret --cert=developer.crt --key=developer.key
 
# The Secret appears as:
# type: kubernetes.io/tls
# data:
#   tls.crt: <base64 cert>
#   tls.key: <base64 key>

Ingress controllers, admission webhooks, and custom operators all consume kubernetes.io/tls Secrets. See Kubernetes ConfigMaps and Secrets for the full Secret type catalog.



Tags: security tls ssl certificates encryption pki kubernetes cka devops networking openssl csr kubeadm