1OC ADM CA(1)                       June 2016                      OC ADM CA(1)
2
3
4

NAME

6       oc  adm  ca create-server-cert - Create a signed server certificate and
7       key
8
9
10

SYNOPSIS

12       oc adm ca create-server-cert [OPTIONS]
13
14
15

DESCRIPTION

17       Create a key and server certificate
18
19
20       Create a key and server certificate valid for the specified  hostnames,
21       signed  by  the specified CA. These are useful for securing infrastruc‐
22       ture components such as the router, authentication server, etc.
23
24
25       Example: Creating a secure router certificate.
26
27
28       CA=openshift.local.config/master
29             oc adm ca create-server-cert --signer-cert=$CA/ca.crt \
30                   --signer-key=$CA/ca.key --signer-serial=$CA/ca.serial.txt \
31                   --hostnames='*.cloudapps.example.com' \
32                   --cert=cloudapps.crt --key=cloudapps.key
33         cat cloudapps.crt cloudapps.key $CA/ca.crt > cloudapps.router.pem
34
35
36

OPTIONS

38       --cert=""
39           The certificate file. Choose a name that indicates what the service
40       is.
41
42
43       --expire-days=730
44           Validity of the certificate in days (defaults to 2 years). WARNING:
45       extending this above default value is highly discouraged.
46
47
48       --hostnames=[]
49           Every hostname or IP you want server certs to be valid  for.  Comma
50       delimited list
51
52
53       --key=""
54           The key file. Choose a name that indicates what the service is.
55
56
57       --overwrite=true
58           Overwrite  existing  cert  files  if found.  If false, any existing
59       file will be left as-is.
60
61
62       --signer-cert="openshift.local.config/master/ca.crt"
63           The certificate file.
64
65
66       --signer-key="openshift.local.config/master/ca.key"
67           The key file.
68
69
70       --signer-serial="openshift.local.config/master/ca.serial.txt"
71           The serial file that keeps  track  of  how  many  certs  have  been
72       signed.
73
74
75

OPTIONS INHERITED FROM PARENT COMMANDS

77       --allow_verification_with_non_compliant_keys=false
78           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
79       non-compliant with RFC6962.
80
81
82       --alsologtostderr=false
83           log to standard error as well as files
84
85
86       --application_metrics_count_limit=100
87           Max number of application metrics to store (per container)
88
89
90       --as=""
91           Username to impersonate for the operation
92
93
94       --as-group=[]
95           Group to impersonate for the operation, this flag can  be  repeated
96       to specify multiple groups.
97
98
99       --azure-container-registry-config=""
100           Path  to the file containing Azure container registry configuration
101       information.
102
103
104       --boot_id_file="/proc/sys/kernel/random/boot_id"
105           Comma-separated list of files to check for boot-id. Use  the  first
106       one that exists.
107
108
109       --cache-dir="/builddir/.kube/http-cache"
110           Default HTTP cache directory
111
112
113       --certificate-authority=""
114           Path to a cert file for the certificate authority
115
116
117       --client-certificate=""
118           Path to a client certificate file for TLS
119
120
121       --client-key=""
122           Path to a client key file for TLS
123
124
125       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
126           CIDRs opened in GCE firewall for LB traffic proxy  health checks
127
128
129       --cluster=""
130           The name of the kubeconfig cluster to use
131
132
133       --container_hints="/etc/cadvisor/container_hints.json"
134           location of the container hints file
135
136
137       --containerd="unix:///var/run/containerd.sock"
138           containerd endpoint
139
140
141       --context=""
142           The name of the kubeconfig context to use
143
144
145       --default-not-ready-toleration-seconds=300
146           Indicates   the   tolerationSeconds   of   the    toleration    for
147       notReady:NoExecute  that is added by default to every pod that does not
148       already have such a toleration.
149
150
151       --default-unreachable-toleration-seconds=300
152           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
153       able:NoExecute  that  is  added  by  default to every pod that does not
154       already have such a toleration.
155
156
157       --docker="unix:///var/run/docker.sock"
158           docker endpoint
159
160
161       --docker-tls=false
162           use TLS to connect to docker
163
164
165       --docker-tls-ca="ca.pem"
166           path to trusted CA
167
168
169       --docker-tls-cert="cert.pem"
170           path to client certificate
171
172
173       --docker-tls-key="key.pem"
174           path to private key
175
176
177       --docker_env_metadata_whitelist=""
178           a comma-separated list of environment variable keys that  needs  to
179       be collected for docker containers
180
181
182       --docker_only=false
183           Only report docker containers in addition to root stats
184
185
186       --docker_root="/var/lib/docker"
187           DEPRECATED:  docker  root is read from docker info (this is a fall‐
188       back, default: /var/lib/docker)
189
190
191       --enable_load_reader=false
192           Whether to enable cpu load reader
193
194
195       --event_storage_age_limit="default=24h"
196           Max length of time for which to store events (per type). Value is a
197       comma  separated  list  of  key  values, where the keys are event types
198       (e.g.: creation, oom) or "default" and the value is a duration. Default
199       is applied to all non-specified event types
200
201
202       --event_storage_event_limit="default=100000"
203           Max  number  of  events to store (per type). Value is a comma sepa‐
204       rated list of key values, where the keys are event  types  (e.g.:  cre‐
205       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
206       applied to all non-specified event types
207
208
209       --global_housekeeping_interval=0
210           Interval between global housekeepings
211
212
213       --housekeeping_interval=0
214           Interval between container housekeepings
215
216
217       --httptest.serve=""
218           if non-empty, httptest.NewServer serves on this address and blocks
219
220
221       --insecure-skip-tls-verify=false
222           If true, the server's certificate will not be checked for validity.
223       This will make your HTTPS connections insecure
224
225
226       --kubeconfig=""
227           Path to the kubeconfig file to use for CLI requests.
228
229
230       --log-flush-frequency=0
231           Maximum number of seconds between log flushes
232
233
234       --log_backtrace_at=:0
235           when logging hits line file:N, emit a stack trace
236
237
238       --log_cadvisor_usage=false
239           Whether to log the usage of the cAdvisor container
240
241
242       --log_dir=""
243           If non-empty, write log files in this directory
244
245
246       --logtostderr=true
247           log to standard error instead of files
248
249
250       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
251           Comma-separated  list  of  files  to  check for machine-id. Use the
252       first one that exists.
253
254
255       --match-server-version=false
256           Require server version to match client version
257
258
259       -n, --namespace=""
260           If present, the namespace scope for this CLI request
261
262
263       --request-timeout="0"
264           The length of time to wait before giving  up  on  a  single  server
265       request. Non-zero values should contain a corresponding time unit (e.g.
266       1s, 2m, 3h). A value of zero means don't timeout requests.
267
268
269       -s, --server=""
270           The address and port of the Kubernetes API server
271
272
273       --stderrthreshold=2
274           logs at or above this threshold go to stderr
275
276
277       --storage_driver_buffer_duration=0
278           Writes in the storage driver will be buffered  for  this  duration,
279       and committed to the non memory backends as a single transaction
280
281
282       --storage_driver_db="cadvisor"
283           database name
284
285
286       --storage_driver_host="localhost:8086"
287           database host:port
288
289
290       --storage_driver_password="root"
291           database password
292
293
294       --storage_driver_secure=false
295           use secure connection with database
296
297
298       --storage_driver_table="stats"
299           table name
300
301
302       --storage_driver_user="root"
303           database username
304
305
306       --token=""
307           Bearer token for authentication to the API server
308
309
310       --user=""
311           The name of the kubeconfig user to use
312
313
314       -v, --v=0
315           log level for V logs
316
317
318       --version=false
319           Print version information and quit
320
321
322       --vmodule=
323           comma-separated  list  of pattern=N settings for file-filtered log‐
324       ging
325
326
327

SEE ALSO

329       oc-adm-ca(1),
330
331
332

HISTORY

334       June 2016, Ported from the Kubernetes man-doc generator
335
336
337
338Openshift                  Openshift CLI User Manuals             OC ADM CA(1)
Impressum