In order to use this scheme, the api-server needs to be started with the following switch:
--client-ca-file=<PATH_TO_CA_CERTIFICATE_FILE>
The CA_CERTIFICATE_FILE must contain one or more certificates authorities that can be used to validate client certificates presented to the api-server. The /CN (common name) of the client certificate is used as the username. Client certificates can also indicate a user's group memberships using the organization fields. To include multiple group memberships for a user you will need to include multiple organization fields in the certificate. For example, using the openssl command-line tool to generate a certificate signing request:
$ openssl req -new -key user.pem -out user-csr.pem \