发布日期：2021-06-30 20:15:38 浏览次数：3 分类：技术文章

本文共 10813 字，大约阅读时间需要 36 分钟。

在这里插入图片描述

使用OpenSSL提供的命令则可非常容易地生成kubernetes集群创建所需要的证书，参照官方给的示例方法，再结合前面的文章对于OpenSSL的使用介绍，会发现openssl使用起来还是非常方便和简单的。

事前准备

[root@liumiaocn k8s]# openssl versionOpenSSL 1.1.1d  10 Sep 2019[root@liumiaocn k8s]#

步骤1: 生成ca的私钥

执行命令：openssl genrsa -out ca.key 2048

[root@liumiaocn k8s]# ls[root@liumiaocn k8s]# openssl genrsa -out ca.key 2048Generating RSA private key, 2048 bit long modulus (2 primes)........................................+++++...............................................................................+++++e is 65537 (0x010001)[root@liumiaocn k8s]# lsca.key[root@liumiaocn k8s]# [root@liumiaocn k8s]# cat ca.key -----BEGIN RSA PRIVATE KEY-----MIIEowIBAAKCAQEAryNEmfVyzO/C8husAn/crU7CekP2WpepK2bVfhJZbpBtNS/pplQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLTHV4EVcJGACcaUzZy/pzEvgNEoAzit9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzgX7UeSG0FZ8FSWaqTSBk+K6IvW+bSZerqHOMuzumE/5Babll95CFOc7pBQklpkOEuwrX/1k2tgkVqzCC2z+RWXmKuPOegUepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0+q9jxiZyK4Z5hJZs9C4ma+8U4wC72Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwVpQIDAQABAoIBAQCM+BdM0TrxZ/+DPvDKJj7rJJz3KuMNckuRirlHO9/OVeQBTqqD3eoAkGUmcFMzaFSxDaci2R1R3sXFyscMNqjVV4qnuLL9hnvzBL204VyfESRYq2aFzmYfHYDGBm5ARsEc3jVxim4DOjMDzFH/gTD8+F0CsPYL2Ji/YcQg4WigVxsBkoaTB45OCBEgkUsuwu+uvyLkx/62w5iU1J9kxWOX/5q/iqgmQOLiaagmPVRCg0jxwbSAnrl64WRFBueOJhT3NRewzcoA/klB4ho2om2RTXtgb/70E0ELjXLTEc+PxcIhogIpH95Kwu6fYLzezkAw4Y2PgkW2Pu16HVygtMnBAoGBAN4tMzqIe3Q2qFdRJ3LIaVpV9E9ZcF5PH5wttWzv2GA1knCpUSFElLlzyTotqpYxwyK9T0Jafd9rxhk7pW4SpXfDt9zBRsm99gh7zdOaSAzJIoHbk4kbKYgs01nYOh+iG+EQ3nfG2J5t1Q0mLoyTeHS3m/V2Ggjjid9PLaIX33IVAoGBAMnM1+IWuC0VDfXm3yz9NkGKFQ0OeX/92Lt4UhAQN6kiBdTDE+leyZQFmbt2AzXa7iMIZJbaBd//sgsoic9qDHotWx8vKcBAh7bENhmqdTxDEIQ5kuiUCcbIdefLM4ZZ6J+9XMUKcWgXwaHUz+3/YKQUg9cjplcbrszDar7HvUlRAoGAEroUm1ZtsXn57oI0pQQnfSnJkfaj9g8NRwjDRg9hWZqqYTykTf2N26PazkCTJF3FaOQ0Dg+6lF5tMCtK4mBH+jRRBxZzdQXB+y0USEW01P8PHYr4gJH9ijDdD7GeFJSBbRMS7V2hXJk9YAJb4hV8Dbp8NtBhmWY0dNIjson4l5ECgYAckyT+nrj1qUWQzGBNvo0wOp1AfAw4U3mdEiyMmb9H88lflz/6i7F/hEuAf/V0asvNqiKUOcsbLNnJOrRI6ntZ0ZJVmBgRYRHWj3IZsElpfxWXo49p34yC2V/Ysq1ZGOIXvHimbhQg6TxB7iCDUuYcVctVa3biXskhtYon+aCUAQKBgGnJ84m37oGuljoZuKSHDQAD16Bgtx9RkAprfUdI0QYIs48lnrOkM++pEtrAtTr1Bxnfh9XUpBdsMuTDM6SkwlBnaxqY6m0xhX+aQ20f26dgYQbjUUfhYS/bSLf3Ijv4mO796fhpx3jTthKZj3hniifeu9Qenx/PRnUNtuGVUjWs-----END RSA PRIVATE KEY-----[root@liumiaocn k8s]#

提取私钥中的公钥内容

[root@liumiaocn k8s]# openssl rsa -in ca.key -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryNEmfVyzO/C8husAn/crU7CekP2WpepK2bVfhJZbpBtNS/pplQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLTHV4EVcJGACcaUzZy/pzEvgNEoAzit9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzgX7UeSG0FZ8FSWaqTSBk+K6IvW+bSZerqHOMuzumE/5Babll95CFOc7pBQklpkOEuwrX/1k2tgkVqzCC2z+RWXmKuPOegUepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0+q9jxiZyK4Z5hJZs9C4ma+8U4wC72Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwVpQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]#

步骤2: 生成ca证书

执行命令：openssl req -x509 -new -nodes -key ca.key -subj “/CN=${MASTER_IP}” -days 10000 -out ca.crt

[root@liumiaocn k8s]# MASTER_IP=192.168.163.121[root@liumiaocn k8s]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt[root@liumiaocn k8s]# lsca.crt  ca.key[root@liumiaocn k8s]#

可以看到这实际上就是一个自签名的证书

[root@liumiaocn k8s]# openssl x509 -in ca.crt -noout -issuer -subject -datesissuer=CN = 192.168.163.121subject=CN = 192.168.163.121notBefore=Dec 15 06:14:00 2019 GMTnotAfter=May  2 06:14:00 2047 GMT[root@liumiaocn k8s]#

步骤3: 生成server端私钥文件

执行命令：openssl genrsa -out server.key 2048

[root@liumiaocn k8s]# lsca.crt  ca.key[root@liumiaocn k8s]# openssl genrsa -out server.key 2048Generating RSA private key, 2048 bit long modulus (2 primes)..............+++++..............................................................+++++e is 65537 (0x010001)[root@liumiaocn k8s]# lsca.crt  ca.key  server.key[root@liumiaocn k8s]# file server.key server.key: PEM RSA private key[root@liumiaocn k8s]#

步骤4: 设定证书签名请求CSR文件的配置文件

[root@liumiaocn k8s]# cat csr.conf [ req ]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn[ dn ]C = CNST = LiaoNing L = DaLianO = kubernetesOU = kubernetesCN = 192.168.163.121[ req_ext ]subjectAltName = @alt_names[ alt_names ]DNS.1 = kubernetesDNS.2 = kubernetes.defaultDNS.3 = kubernetes.default.svcDNS.4 = kubernetes.default.svc.clusterDNS.5 = kubernetes.default.svc.cluster.localIP.1 = 192.168.163.121IP.2 = 10.254.0.1[ v3_ext ]authorityKeyIdentifier=keyid,issuer:alwaysbasicConstraints=CA:FALSEkeyUsage=keyEncipherment,dataEnciphermentextendedKeyUsage=serverAuth,clientAuthsubjectAltName=@alt_names[root@liumiaocn k8s]#

步骤5: 生成server端证书签名请求CSR文件

执行命令：openssl req -new -key server.key -out server.csr -config csr.conf

[root@liumiaocn k8s]# lsca.crt  ca.key  csr.conf  server.key[root@liumiaocn k8s]# openssl req -new -key server.key -out server.csr -config csr.conf[root@liumiaocn k8s]# lsca.crt  ca.key  csr.conf  server.csr  server.key[root@liumiaocn k8s]# file server.csr server.csr: PEM certificate request[root@liumiaocn k8s]#

步骤6: 生成server端证书

执行命令：openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf

[root@liumiaocn k8s]# lsca.crt  ca.key  csr.conf  server.csr  server.key[root@liumiaocn k8s]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.confSignature oksubject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121Getting CA Private Key[root@liumiaocn k8s]# lsca.crt  ca.key  ca.srl  csr.conf  server.crt  server.csr  server.key[root@liumiaocn k8s]# file server.crt server.crt: PEM certificate[root@liumiaocn k8s]#

步骤7: 确认server证书信息

执行命令：openssl x509 -noout -text -in ./server.crt

[root@liumiaocn k8s]# openssl x509  -noout -text -in ./server.crtCertificate:    Data:        Version: 3 (0x2)        Serial Number:            54:e9:0e:67:55:c5:fb:b2:30:5d:9e:36:33:72:42:a2:74:32:ee:ac        Signature Algorithm: sha256WithRSAEncryption        Issuer: CN = 192.168.163.121        Validity            Not Before: Dec 15 06:27:11 2019 GMT            Not After : May  2 06:27:11 2047 GMT        Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:b0:90:e9:74:1b:2f:94:8e:7d:d4:eb:12:ba:e2:                    54:97:eb:bc:4e:05:00:20:6e:34:5b:1c:fb:bd:6e:                    76:95:3e:e1:bf:c8:78:c6:c8:69:30:3e:40:a4:30:                    f3:77:cc:ea:bc:0d:b6:2f:44:4f:a2:31:10:df:1a:                    15:fe:78:79:76:96:1e:c5:21:cd:c4:95:10:d1:fd:                    95:ed:87:26:5f:1d:e2:2f:d0:de:8f:65:8d:d2:d8:                    e6:0f:f7:d1:e9:4a:1c:d6:e4:d0:bf:bc:33:ec:ea:                    43:9c:08:2f:9a:9b:1a:9b:9f:de:80:69:a8:f2:cb:                    21:eb:cc:bf:5f:bc:0d:64:da:a3:96:fd:2a:4e:8e:                    60:59:c8:8c:f2:8b:ab:7c:28:1b:74:67:a6:0f:2c:                    b1:4c:2e:8c:27:ce:8b:94:fa:66:3b:c6:9a:a7:1c:                    1f:31:ae:47:24:70:06:43:d4:d1:4b:85:e9:58:fe:                    b9:d7:6a:c2:bf:2b:53:53:ca:bb:47:97:b2:12:5e:                    6a:e7:61:77:aa:e5:a5:db:fd:88:99:fa:d4:07:52:                    55:42:de:f0:96:1e:da:51:f6:06:6c:a1:f4:d8:e6:                    b1:fb:a3:f2:2c:d7:49:d1:45:c5:19:0e:81:4f:a9:                    2f:78:60:0d:3d:e7:18:03:df:67:83:97:a2:38:48:                    94:75                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Authority Key Identifier:                 keyid:AF:FE:C3:A4:D6:FD:F0:4D:44:D3:B2:A0:AB:BA:60:AE:B9:DC:F6:58                DirName:/CN=192.168.163.121                serial:08:79:A5:DC:0A:28:3E:9A:5D:E8:97:E5:D6:D1:AE:52:DD:82:DD:DB            X509v3 Basic Constraints:                 CA:FALSE            X509v3 Key Usage:                 Key Encipherment, Data Encipherment            X509v3 Extended Key Usage:                 TLS Web Server Authentication, TLS Web Client Authentication            X509v3 Subject Alternative Name:                 DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.163.121, IP Address:10.254.0.1    Signature Algorithm: sha256WithRSAEncryption         57:77:b3:9d:00:e5:d5:10:45:20:ef:8b:7d:dc:9a:26:e2:29:         c9:be:fd:99:84:99:cd:df:58:36:b8:4a:98:92:46:49:7f:10:         99:a3:9b:49:6d:7f:9d:28:2e:c3:8b:12:2b:0c:50:f2:60:1a:         4b:d6:80:73:ec:bd:d7:82:fe:c4:b1:17:4b:2c:00:c3:ee:f1:         8a:61:fb:c8:f6:77:11:f7:2f:37:8e:fc:35:1c:2a:53:1f:2b:         2d:8a:71:d9:6d:fb:23:23:c1:8d:c0:fe:52:d6:d2:03:b8:46:         58:48:fe:98:75:0f:f7:b3:35:90:c7:5a:39:83:6c:46:d3:4e:         cd:4c:f9:5f:93:27:ae:a6:a4:68:e1:4e:cc:6f:b4:08:45:23:         1e:f5:bb:71:5a:ae:59:50:56:e0:80:1b:4b:35:5a:71:ac:de:         c5:98:f3:51:1f:ab:ea:74:f7:e4:64:78:7a:ea:67:e1:bd:00:         b4:e9:6c:15:d7:b1:3f:6e:b4:e7:a3:bd:39:92:b3:da:0c:7f:         24:ba:28:9d:dd:10:11:df:bd:4d:9b:0e:1e:93:bd:8e:9a:7e:         98:c8:e4:b5:21:78:74:f9:a4:c4:88:e5:aa:0c:e9:a8:97:b4:         53:5d:da:f0:66:d3:c0:b6:bc:bb:92:f5:35:c5:20:d0:bb:cf:         61:7a:19:7a[root@liumiaocn k8s]#

可以看到此证书的签发者正是ca

[root@liumiaocn k8s]# openssl x509  -noout -in ./server.crt -issuer -subject -dates issuer=CN = 192.168.163.121subject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121notBefore=Dec 15 06:27:11 2019 GMTnotAfter=May  2 06:27:11 2047 GMT[root@liumiaocn k8s]#

另外，server端中证书中的公钥信息也和server.key私钥是符合的

[root@liumiaocn k8s]# openssl x509  -noout -in ./server.crt -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJUl+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsam5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpmO8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrUB1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiUdQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]# [root@liumiaocn k8s]# openssl rsa -in server.key -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJUl+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsam5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpmO8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrUB1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiUdQIDAQAB-----END PUBLIC KEY-----[root@liumiaocn k8s]#

参考内容

https://kubernetes.io/docs/concepts/cluster-administration/certificates/

转载地址：https://liumiaocn.blog.csdn.net/article/details/103548086 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！

上一篇：CFSSL: 证书管理工具：1:概要与安装

下一篇：SSL基础：22:非交互方式生成CSR证书签名文件(配置文件方式)

发表评论

关于作者

喝酒易醉，品茶养心，人生如梦，品茶悟道，何以解忧？唯有杜康！

-- 愿君每日到此一游！