Transforming Certificates
Firstly, because I always forget them given how rarely I need to do it, here is the sequence of commands needed to translate the .pfx-formatted web server certificate you got from your Windows certification authority into the .crt-and-unsecured-.key files you need to feed your reverse proxy. Traefik, in my case.
openssl pkcs12 -in harmony-2021.pfx -clcerts -nokeys -out harmony.arkane-systems.lan.crt
openssl pkcs12 -in harmony-2021.pfx -nocerts -out encrypted.key
openssl rsa -in encrypted.key -out harmony.arkane-systems.lan.key
rm encrypted.key
Updating Secrets
Secondly there is no kubectl apply secret command which allows you to update the secret storing these certificates for your Traefik ingress’s convenience, despite there being kubectl apply commands for updating most other things, including a command which allows you to apply entire files of updates at once, including the secrets in those files.
You saw it, right?
What you can do, however, is run kubectl create secret (which can’t be used to update existing secrets in itself) in dry run mode, get the yaml output, and then pipe that to the kubectl apply variant that updates whole files at once, telling it to get its output from stdin.
kubectl create secret tls harmony-wildcard-cert --cert=harmony.arkane-systems.lan.crt --key=harmony.arkane-systems.lan.key -n kube-public --dry-run=client -o yaml | kubectl apply -f -
This baroque and persistent-for-some-considerable-time workaround brought to you by the Unix mentality, folks. You have to give it to ‘em, for values of it equal to concussion.
A Personal Note
Thirdly, and relevant to the last one, the pry-bar in your office is not for debugging purposes. Specifically, it is not for cranial debugging purposes.
Yipes.
I don't know what's worse - that kluge, or the rigid-but-oh-so-easy (so long as you're doing it exactly the way the wizard designers imagined) solution that would have typified the Windows way of doing it many moons ago. (Yes, I do think both MS and the Unix folks got it wrong, why do you ask? :P )
This is kind of one of those "be glad the kluge is there, be furious that it was ever necessary" kind of moments, I suppose!