SSL基础:23:生成Kubernetes集群证书(OpenSSL方式)
发布日期:2021-06-30 20:15:38
浏览次数:3
分类:技术文章
本文共 10813 字,大约阅读时间需要 36 分钟。
使用OpenSSL提供的命令则可非常容易地生成kubernetes集群创建所需要的证书,参照官方给的示例方法,再结合前面的文章对于OpenSSL的使用介绍,会发现openssl使用起来还是非常方便和简单的。事前准备
[root@liumiaocn k8s]# openssl versionOpenSSL 1.1.1d 10 Sep 2019[root@liumiaocn k8s]#
步骤1: 生成ca的私钥
执行命令:openssl genrsa -out ca.key 2048
[root@liumiaocn k8s]# ls[root@liumiaocn k8s]# openssl genrsa -out ca.key 2048Generating RSA private key, 2048 bit long modulus (2 primes)........................................+++++...............................................................................+++++e is 65537 (0x010001)[root@liumiaocn k8s]# lsca.key[root@liumiaocn k8s]# [root@liumiaocn k8s]# cat ca.key -----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAryNEmfVyzO/C8husAn/crU7CekP2WpepK2bVfhJZbpBtNS/pplQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLTHV4EVcJGACcaUzZy/pzEvgNEoAzit9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzgX7UeSG0FZ8FSWaqTSBk+K6IvW+bSZerqHOMuzumE/5Babll95CFOc7pBQklpkOEuwrX/1k2tgkVqzCC2z+RWXmKuPOegUepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0+q9jxiZyK4Z5hJZs9C4ma+8U4wC72Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwVpQIDAQABAoIBAQCM+BdM0TrxZ/+DPvDKJj7rJJz3KuMNckuRirlHO9/OVeQBTqqD3eoAkGUmcFMzaFSxDaci2R1R3sXFyscMNqjVV4qnuLL9hnvzBL204VyfESRYq2aFzmYfHYDGBm5ARsEc3jVxim4DOjMDzFH/gTD8+F0CsPYL2Ji/YcQg4WigVxsBkoaTB45OCBEgkUsuwu+uvyLkx/62w5iU1J9kxWOX/5q/iqgmQOLiaagmPVRCg0jxwbSAnrl64WRFBueOJhT3NRewzcoA/klB4ho2om2RTXtgb/70E0ELjXLTEc+PxcIhogIpH95Kwu6fYLzezkAw4Y2PgkW2Pu16HVygtMnBAoGBAN4tMzqIe3Q2qFdRJ3LIaVpV9E9ZcF5PH5wttWzv2GA1knCpUSFElLlzyTotqpYxwyK9T0Jafd9rxhk7pW4SpXfDt9zBRsm99gh7zdOaSAzJIoHbk4kbKYgs01nYOh+iG+EQ3nfG2J5t1Q0mLoyTeHS3m/V2Ggjjid9PLaIX33IVAoGBAMnM1+IWuC0VDfXm3yz9NkGKFQ0OeX/92Lt4UhAQN6kiBdTDE+leyZQFmbt2AzXa7iMIZJbaBd//sgsoic9qDHotWx8vKcBAh7bENhmqdTxDEIQ5kuiUCcbIdefLM4ZZ6J+9XMUKcWgXwaHUz+3/YKQUg9cjplcbrszDar7HvUlRAoGAEroUm1ZtsXn57oI0pQQnfSnJkfaj9g8NRwjDRg9hWZqqYTykTf2N26PazkCTJF3FaOQ0Dg+6lF5tMCtK4mBH+jRRBxZzdQXB+y0USEW01P8PHYr4gJH9ijDdD7GeFJSBbRMS7V2hXJk9YAJb4hV8Dbp8NtBhmWY0dNIjson4l5ECgYAckyT+nrj1qUWQzGBNvo0wOp1AfAw4U3mdEiyMmb9H88lflz/6i7F/hEuAf/V0asvNqiKUOcsbLNnJOrRI6ntZ0ZJVmBgRYRHWj3IZsElpfxWXo49p34yC2V/Ysq1ZGOIXvHimbhQg6TxB7iCDUuYcVctVa3biXskhtYon+aCUAQKBgGnJ84m37oGuljoZuKSHDQAD16Bgtx9RkAprfUdI0QYIs48lnrOkM++pEtrAtTr1Bxnfh9XUpBdsMuTDM6SkwlBnaxqY6m0xhX+aQ20f26dgYQbjUUfhYS/bSLf3Ijv4mO796fhpx3jTthKZj3hniifeu9Qenx/PRnUNtuGVUjWs-----END RSA PRIVATE KEY-----[root@liumiaocn k8s]#
提取私钥中的公钥内容
[root@liumiaocn k8s]# openssl rsa -in ca.key -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryNEmfVyzO/C8husAn/crU7CekP2WpepK2bVfhJZbpBtNS/pplQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLTHV4EVcJGACcaUzZy/pzEvgNEoAzit9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzgX7UeSG0FZ8FSWaqTSBk+K6IvW+bSZerqHOMuzumE/5Babll95CFOc7pBQklpkOEuwrX/1k2tgkVqzCC2z+RWXmKuPOegUepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0+q9jxiZyK4Z5hJZs9C4ma+8U4wC72Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwVpQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]#
步骤2: 生成ca证书
执行命令:openssl req -x509 -new -nodes -key ca.key -subj “/CN=${MASTER_IP}” -days 10000 -out ca.crt
[root@liumiaocn k8s]# MASTER_IP=192.168.163.121[root@liumiaocn k8s]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt[root@liumiaocn k8s]# lsca.crt ca.key[root@liumiaocn k8s]#
可以看到这实际上就是一个自签名的证书
[root@liumiaocn k8s]# openssl x509 -in ca.crt -noout -issuer -subject -datesissuer=CN = 192.168.163.121subject=CN = 192.168.163.121notBefore=Dec 15 06:14:00 2019 GMTnotAfter=May 2 06:14:00 2047 GMT[root@liumiaocn k8s]#
步骤3: 生成server端私钥文件
执行命令:openssl genrsa -out server.key 2048
[root@liumiaocn k8s]# lsca.crt ca.key[root@liumiaocn k8s]# openssl genrsa -out server.key 2048Generating RSA private key, 2048 bit long modulus (2 primes)..............+++++..............................................................+++++e is 65537 (0x010001)[root@liumiaocn k8s]# lsca.crt ca.key server.key[root@liumiaocn k8s]# file server.key server.key: PEM RSA private key[root@liumiaocn k8s]#
步骤4: 设定证书签名请求CSR文件的配置文件
[root@liumiaocn k8s]# cat csr.conf [ req ]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn[ dn ]C = CNST = LiaoNing L = DaLianO = kubernetesOU = kubernetesCN = 192.168.163.121[ req_ext ]subjectAltName = @alt_names[ alt_names ]DNS.1 = kubernetesDNS.2 = kubernetes.defaultDNS.3 = kubernetes.default.svcDNS.4 = kubernetes.default.svc.clusterDNS.5 = kubernetes.default.svc.cluster.localIP.1 = 192.168.163.121IP.2 = 10.254.0.1[ v3_ext ]authorityKeyIdentifier=keyid,issuer:alwaysbasicConstraints=CA:FALSEkeyUsage=keyEncipherment,dataEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@alt_names[root@liumiaocn k8s]#
步骤5: 生成server端证书签名请求CSR文件
执行命令:openssl req -new -key server.key -out server.csr -config csr.conf
[root@liumiaocn k8s]# lsca.crt ca.key csr.conf server.key[root@liumiaocn k8s]# openssl req -new -key server.key -out server.csr -config csr.conf[root@liumiaocn k8s]# lsca.crt ca.key csr.conf server.csr server.key[root@liumiaocn k8s]# file server.csr server.csr: PEM certificate request[root@liumiaocn k8s]#
步骤6: 生成server端证书
执行命令:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
[root@liumiaocn k8s]# lsca.crt ca.key csr.conf server.csr server.key[root@liumiaocn k8s]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.confSignature oksubject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121Getting CA Private Key[root@liumiaocn k8s]# lsca.crt ca.key ca.srl csr.conf server.crt server.csr server.key[root@liumiaocn k8s]# file server.crt server.crt: PEM certificate[root@liumiaocn k8s]#
步骤7: 确认server证书信息
执行命令:openssl x509 -noout -text -in ./server.crt
[root@liumiaocn k8s]# openssl x509 -noout -text -in ./server.crtCertificate: Data: Version: 3 (0x2) Serial Number: 54:e9:0e:67:55:c5:fb:b2:30:5d:9e:36:33:72:42:a2:74:32:ee:ac Signature Algorithm: sha256WithRSAEncryption Issuer: CN = 192.168.163.121 Validity Not Before: Dec 15 06:27:11 2019 GMT Not After : May 2 06:27:11 2047 GMT Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b0:90:e9:74:1b:2f:94:8e:7d:d4:eb:12:ba:e2: 54:97:eb:bc:4e:05:00:20:6e:34:5b:1c:fb:bd:6e: 76:95:3e:e1:bf:c8:78:c6:c8:69:30:3e:40:a4:30: f3:77:cc:ea:bc:0d:b6:2f:44:4f:a2:31:10:df:1a: 15:fe:78:79:76:96:1e:c5:21:cd:c4:95:10:d1:fd: 95:ed:87:26:5f:1d:e2:2f:d0:de:8f:65:8d:d2:d8: e6:0f:f7:d1:e9:4a:1c:d6:e4:d0:bf:bc:33:ec:ea: 43:9c:08:2f:9a:9b:1a:9b:9f:de:80:69:a8:f2:cb: 21:eb:cc:bf:5f:bc:0d:64:da:a3:96:fd:2a:4e:8e: 60:59:c8:8c:f2:8b:ab:7c:28:1b:74:67:a6:0f:2c: b1:4c:2e:8c:27:ce:8b:94:fa:66:3b:c6:9a:a7:1c: 1f:31:ae:47:24:70:06:43:d4:d1:4b:85:e9:58:fe: b9:d7:6a:c2:bf:2b:53:53:ca:bb:47:97:b2:12:5e: 6a:e7:61:77:aa:e5:a5:db:fd:88:99:fa:d4:07:52: 55:42:de:f0:96:1e:da:51:f6:06:6c:a1:f4:d8:e6: b1:fb:a3:f2:2c:d7:49:d1:45:c5:19:0e:81:4f:a9: 2f:78:60:0d:3d:e7:18:03:df:67:83:97:a2:38:48: 94:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:AF:FE:C3:A4:D6:FD:F0:4D:44:D3:B2:A0:AB:BA:60:AE:B9:DC:F6:58 DirName:/CN=192.168.163.121 serial:08:79:A5:DC:0A:28:3E:9A:5D:E8:97:E5:D6:D1:AE:52:DD:82:DD:DB X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.163.121, IP Address:10.254.0.1 Signature Algorithm: sha256WithRSAEncryption 57:77:b3:9d:00:e5:d5:10:45:20:ef:8b:7d:dc:9a:26:e2:29: c9:be:fd:99:84:99:cd:df:58:36:b8:4a:98:92:46:49:7f:10: 99:a3:9b:49:6d:7f:9d:28:2e:c3:8b:12:2b:0c:50:f2:60:1a: 4b:d6:80:73:ec:bd:d7:82:fe:c4:b1:17:4b:2c:00:c3:ee:f1: 8a:61:fb:c8:f6:77:11:f7:2f:37:8e:fc:35:1c:2a:53:1f:2b: 2d:8a:71:d9:6d:fb:23:23:c1:8d:c0:fe:52:d6:d2:03:b8:46: 58:48:fe:98:75:0f:f7:b3:35:90:c7:5a:39:83:6c:46:d3:4e: cd:4c:f9:5f:93:27:ae:a6:a4:68:e1:4e:cc:6f:b4:08:45:23: 1e:f5:bb:71:5a:ae:59:50:56:e0:80:1b:4b:35:5a:71:ac:de: c5:98:f3:51:1f:ab:ea:74:f7:e4:64:78:7a:ea:67:e1:bd:00: b4:e9:6c:15:d7:b1:3f:6e:b4:e7:a3:bd:39:92:b3:da:0c:7f: 24:ba:28:9d:dd:10:11:df:bd:4d:9b:0e:1e:93:bd:8e:9a:7e: 98:c8:e4:b5:21:78:74:f9:a4:c4:88:e5:aa:0c:e9:a8:97:b4: 53:5d:da:f0:66:d3:c0:b6:bc:bb:92:f5:35:c5:20:d0:bb:cf: 61:7a:19:7a[root@liumiaocn k8s]#
可以看到此证书的签发者正是ca
[root@liumiaocn k8s]# openssl x509 -noout -in ./server.crt -issuer -subject -dates issuer=CN = 192.168.163.121subject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121notBefore=Dec 15 06:27:11 2019 GMTnotAfter=May 2 06:27:11 2047 GMT[root@liumiaocn k8s]#
另外,server端中证书中的公钥信息也和server.key私钥是符合的
[root@liumiaocn k8s]# openssl x509 -noout -in ./server.crt -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJUl+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsam5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpmO8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrUB1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiUdQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]# [root@liumiaocn k8s]# openssl rsa -in server.key -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJUl+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsam5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpmO8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrUB1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiUdQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]#
参考内容
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
转载地址:https://liumiaocn.blog.csdn.net/article/details/103548086 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
关注你微信了!
[***.104.42.241]2024年04月08日 23时25分00秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
xss-labs详解(上)1-10
2019-04-30
xss-labs详解(下)11-20
2019-04-30
攻防世界web进阶区ics-05详解
2019-04-30
攻防世界web进阶区FlatScience详解
2019-04-30
攻防世界web进阶区ics-04详解
2019-04-30
攻防世界web进阶区bug详解
2019-04-30
攻防世界web进阶区ics-07详解
2019-04-30
攻防世界web进阶区unfinish详解
2019-04-30
攻防世界web进阶区i-got-id-200超详解
2019-04-30
sql注入总结学习
2019-04-30
leetcode46 全排列
2019-04-30
leetcode121 买卖股票的最佳时机
2019-04-30
leetcode 122 买卖股票的最佳时机II
2019-04-30
leetcode 309 最佳买卖股票含冷冻期
2019-04-30
leetcode 714 买卖股票的最佳时机含手续费
2019-04-30
leetcode3 无重复字符的最长子串
2019-04-30
leetcode 1143. 最长公共子序列
2019-04-30
leetcode 83. 删除排序链表中的重复元素
2019-04-30
智能体 Intelligent Agent
2019-04-30
Network Compression网络压缩(一)
2019-04-30