# Create the User Certificate

### Generate a Private Key

```
openssl genrsa -out .key 2048
```

### Create a Certificate Signing Request

`CN` becomes the username.
 `O` becomes a group and is optional

```
openssl req -new \-key <USERNAME>.key \-out <USERNAME>.csr \-subj "/CN=<USERNAME>/O=<GROUP>"
```

{% hint style="info" %}
TIP\
If you do not need a group, omit
&#x20;   `/0=<GROUP>` from the subject string.
{% endhint %}

### Base64-Encode the CSR

```
CSR_B64=$(openssl base64 -A -in <USERNAME>.csr)
```

### Submit the CSR to Kubernetes

```
kubectl delete certificatesigningrequest <USERNAME>-csr >-ignore-not
found=true
```

```
cat ><EOF | kubectl apply -f 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: <USERNAME>-csr
spec:
  request: ${CSR_B64}
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 31536000
  usages:
    - client auth
EOF
```

{% hint style="info" %}
Note :  `expirationSeconds` is a requested lifetime. The signer ultimately controls the issued
\
certificate lifetime. For `certificates.k8s.io/v1`, the minimum valid value is `600`
{% endhint %}

### Approve the CSR

```
kubectl certificate approve <USERNAME>-csr
```

### Retrieve the Signed Certificate

```
kubectl get csr <USERNAME>-csr \
  -o jsonpath='{.status.certificate}' \
  | openssl base64 -d -A > <USERNAME>.crt
```

### Verify the Certificate

```
openssl x509 -in <USERNAME>.crt -noout -subject -dates
```

**Expected subject fields:**

* `CN=<USERNAME>`
* `0=<GROUP>` if you included a group

### Clean Up the CSR Object

```
kubectl delete certificatesigningrequest <USERNAME>-csr >-ignore-not
found=true
```

**Generated files:**

<table><thead><tr><th width="197.83331298828125">File</th><th>Purpose</th></tr></thead><tbody><tr><td><code>&#x3C;USERNAME>.key</code></td><td>Private key. Keep it secret.</td></tr><tr><td><code>&#x3C;USERNAME>.csr</code></td><td>PKCS#10 certificate signing request</td></tr><tr><td><code>&#x3C;USERNAME>.crt</code></td><td>Signed client certificate</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudeka.ai/guidance-for-individual/reference/kubernetes-user-creation-with-rbac/create-the-user-certificate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.