Pre-generating all certificates before installation - no CA key

[dtremblay]

I am trying to perform a fresh installation of RKE2. I've generated CSRs with proper DN (CN, O, etc). I've sent the CSRs to my Certificate Authority (CA) for signing. I obviously don't have the key for the CA. I've copied the same CA certificate in /var/lib/rancher/rke2/server/tls (and sub-folder etcd): for server-ca.crt, client-ca.crt, request-header-ca.crt, etcd/peer-ca.crt and etcd/server-ca.crt.

To my dismay, when I start rke2-server, it looks for the client-ca.key, and not finding it, proceeds to generate a new key and overwrites the client-ca.crt. It does this for all the CA, and re-generates all the API certificates. So all my certificates are now self-signed.

Is there a command-line switch or a configuration parameter to prevent this? If there is not, is there a way for me to use my private CA without providing the key?

Thank you!

[brandond]

It is not possible to generate ALL certificates before installation. RKE2 internally generates certificates for nodes and cluster components on demand, so it must act as a CA. You can use an existing root and intermediate CA that you do not have keys for, but you must provide the servers with CA certs and keys as described in the docs: https://docs.rke2.io/security/certificates#using-custom-ca-certificates

If you want to use only an existing root CA certificate, provide the following files:

• root-ca.pem
• root-ca.key

If you want to use existing root and intermediate CA certificates, provide the following files:

• root-ca.pem
• intermediate-ca.pem
• intermediate-ca.key

[dtremblay]

Thank you for answering. I was hoping RKE2 would allow me to do what kubeadm does: https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates. Probably means RKE2 is not a good fit for my organization.