kube api server uses ca.crt to decrypt the admin.crt to make sure the request is coming from the valid client. Then what is the use of admin.key to the kube-api server ?
Hi @dnpuneeth3
ca.crt is not used in any decryption. It is used to verify the authenticity of admin crt
admin.crt contains a public key which is used to encrypt data being returned to kubectl. kubectl then uses the private key in admin.key to decrypt that data.
How authenticity of admin.crt is verified by ca.crt ?
I can’t go into the mathematics of cryptography because i don’t understand it either, but suffice to say, a certificate must be issued from a certificate authority, and that authority is represented by a ca certificate. Using standard software you can determine that a given certificate (admin.crt) was issued by a given authority (ca.crt)
It is the mechanism by which https works
Search Google for Public Key Infrastructure to find detailed explanations
1 Like
but wouldn’t sending both public and private keys with the request make it vulnerable?
Private key is not sent with the request. It is used to encrypt requests that are sent to the server during the negotiation phase.
https://www.cloudflare.com/en-gb/learning/access-management/what-is-mutual-tls/