CFSSL: 证书管理工具:4:生成Kubernetes集群证书
发布日期:2021-06-30 20:15:40
浏览次数:2
分类:技术文章
本文共 12071 字,大约阅读时间需要 40 分钟。
使用CFSSL生成kubernetes集群创建所需要的证书非常简单,而且配置文件使用JSON也很容易理解,参照官方给的示例方法,进行示例创建。步骤1: 下载cfssl工具并设定权限
[root@liumiaocn cfssl]# curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64[root@liumiaocn cfssl]# curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64[root@liumiaocn cfssl]# curl -s -L -o cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64[root@liumiaocn cfssl]# chmod +x cfssl*[root@liumiaocn cfssl]# lscfssl cfssl-certinfo cfssljson[root@liumiaocn cfssl]# ./cfssl versionVersion: 1.2.0Revision: devRuntime: go1.6[root@liumiaocn cfssl]#
步骤2: 初始化私钥和证书签名请求配置文件
执行命令:mkdir cert && cd cert
…/cfssl print-defaults config > config.json …/cfssl print-defaults csr > csr.json
[root@liumiaocn cfssl]# mkdir cert && cd cert[root@liumiaocn cert]# ../cfssl print-defaults config > config.json[root@liumiaocn cert]# ../cfssl print-defaults csr > csr.json[root@liumiaocn cert]# lsconfig.json csr.json[root@liumiaocn cert]# cat config.json { "signing": { "default": { "expiry": "168h" }, "profiles": { "www": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } }}[root@liumiaocn cert]# cat csr.json { "CN": "example.net", "hosts": [ "example.net", "www.example.net" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "US", "L": "CA", "ST": "San Francisco" } ]}[root@liumiaocn cert]#
步骤3: 创建CA证书所需要的配置文件
根据步骤2中生成的配置模版文件生成CA证书所需要的配置文件。
[root@liumiaocn cert]# mv config.json ca-config.json[root@liumiaocn cert]# vi ca-config.json [root@liumiaocn cert]# cat ca-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } }}[root@liumiaocn cert]#
步骤4: 证书签名请求的配置文件
根据步骤2生成的模版文件生成CA证书所需要的CSR证书签名请求的配置文件
[root@liumiaocn cert]# mv csr.json ca-csr.json[root@liumiaocn cert]# vi ca-csr.json [root@liumiaocn cert]# cat ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names":[{ "C": "CN", "ST": "LiaoNing", "L": "DaLian", "O": "kubernetes", "OU": "kubernetes" }]}[root@liumiaocn cert]#
步骤5: 生成CA私钥、CSR文件和CA证书
执行命令:…/cfssl gencert -initca ca-csr.json | …/cfssljson -bare ca
[root@liumiaocn cert]# lsca-config.json ca-csr.json[root@liumiaocn cert]# ../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca2019/12/15 08:19:58 [INFO] generating a new CA key and certificate from CSR2019/12/15 08:19:58 [INFO] generate received request2019/12/15 08:19:58 [INFO] received CSR2019/12/15 08:19:58 [INFO] generating key: rsa-20482019/12/15 08:19:58 [INFO] encoded CSR2019/12/15 08:19:58 [INFO] signed certificate with serial number 70459559078642252693355267095723608645726377632[root@liumiaocn cert]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem[root@liumiaocn cert]# file ca.csr ca-key.pem ca.pem ca.csr: PEM certificate requestca-key.pem: PEM RSA private keyca.pem: PEM certificate[root@liumiaocn cert]#
步骤6: 创建server端所需要的CSR配置文件
创建如下所需要的server端配置所需要的内容
[root@liumiaocn cert]# vi server-csr.json[root@liumiaocn cert]# cat server-csr.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.163.121", ".10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [{ "C": "CN", "ST": "LiaoNing", "L": "DaLian", "O": "kubernetes", "OU": "kubernetes" }]}[root@liumiaocn cert]#
步骤7: 生成server端证书
执行命令:…/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem
–config=ca-config.json -profile=kubernetes server-csr.json | …/cfssljson -bare server
[root@liumiaocn cert]# lsca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server-csr.json[root@liumiaocn cert]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \> --config=ca-config.json -profile=kubernetes \> server-csr.json | ../cfssljson -bare server2019/12/15 08:29:55 [INFO] generate received request2019/12/15 08:29:55 [INFO] received CSR2019/12/15 08:29:55 [INFO] generating key: rsa-20482019/12/15 08:29:56 [INFO] encoded CSR2019/12/15 08:29:56 [INFO] signed certificate with serial number 3379844524592180160323737563879359736675276805792019/12/15 08:29:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@liumiaocn cert]# ls server*server.csr server-csr.json server-key.pem server.pem[root@liumiaocn cert]#
证书结果确认
[root@liumiaocn cert]# ../cfssl-certinfo -cert server.pem{ "subject": { "common_name": "kubernetes", "country": "CN", "organization": "kubernetes", "organizational_unit": "kubernetes", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "kubernetes", "kubernetes", "kubernetes" ] }, "issuer": { "common_name": "kubernetes", "country": "CN", "organization": "kubernetes", "organizational_unit": "kubernetes", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "kubernetes", "kubernetes", "kubernetes" ] }, "serial_number": "337984452459218016032373756387935973667527680579", "sans": [ ".10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1", "192.168.163.121" ], "not_before": "2019-12-15T13:25:00Z", "not_after": "2020-12-14T13:25:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "3A:2E:15:93:5:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:8:EA", "subject_key_id": "2:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B", "pem": "-----BEGIN CERTIFICATE-----\nMIIEljCCA36gAwIBAgIUOzO/PFQ1NhwjrD6adzmLs4XHYkMwDQYJKoZIhvcNAQEL\nBQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMx\nEzARBgNVBAMTCmt1YmVybmV0ZXMwHhcNMTkxMjE1MTMyNTAwWhcNMjAxMjE0MTMy\nNTAwWjBwMQswCQYDVQQGEwJDTjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcT\nBkRhTGlhbjETMBEGA1UEChMKa3ViZXJuZXRlczETMBEGA1UECxMKa3ViZXJuZXRl\nczETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAMp6qS0hPYtxffzDTgyCAx+bygxlk5BgKKKMthatJnLMJn19GO1mKwcq\n8izsa7Ub1S3bSC6R/LjfT8QFA20t7RMrxd0PefihAYRrxnsoH0mGjJnNx+XrI+JG\nJnSdOKhKBBdp0oNvi5J/oG2mlAx+GCtrp6bU12G6rbc/DDR5zWfCieGrP42boCm+\nlk44MiGIAY9IKdlozxwGOAwNutI4D96XJClMa9nznv6uH97G6aGAmflucVXpZ3dP\nxvmmwzeNyXtyqdR63FklCFkM7tJI1mT4LVvgXGjEhJlH718nmLkXkH8aHqFsCWxK\nrRbnGybtw6fUqXmK2yVx6UzpXd3AdB0CAwEAAaOCASYwggEiMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUAmyhghh/R1X1lO667xGnln9S24swHwYDVR0jBBgwFoAUOi4V\nkwVy0Jn/80/ShugU512yCOowgaIGA1UdEQSBmjCBl4ILLjEwLjI1NC4wLjGCCmt1\nYmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVz\nLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoo3kwDQYJKoZIhvcN\nAQELBQADggEBAL2wyCWLMA9S2k/nAuxNEzCaMjN65kR/YfhGhFGLRBlzB+5w4ACJ\nfddQT3VSbQM8ywYcgLzCw/xtRpM3PDMa3pKgCUcg0Xn1mhISTxWUaf6NfUimZlH1\nr+ukvl6F6ghcsRvyc3Cta56LYR6NT6Xa4vZ86jI5DSs6THgQ0/ZMhSvqm6a3QGFT\n+lmeg5Hh/YOdqsbzo9Z57jUEshH+1DVoChibKi80N9HGjPwRa3Rgj9NUq211Z0aN\nyWP3i5SluprugWq2/9hGibECHDUwyJWfNX9ZVyPVLMi3TM6pFU8RfVCY9Og+9d9X\ncIR0wGn7NunvLYqNRV163RIlOIQAI/oVz/U=\n-----END CERTIFICATE-----\n"}[root@liumiaocn cert]#
可以看到实际这是x509 v3格式的证书,也可以直接使用openssl命令确认证书的内容,只是显示的方式有所不同。
[root@liumiaocn cert]# openssl x509 -noout -in server.pem -textCertificate: Data: Version: 3 (0x2) Serial Number: 3b:33:bf:3c:54:35:36:1c:23:ac:3e:9a:77:39:8b:b3:85:c7:62:43 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes Validity Not Before: Dec 15 13:25:00 2019 GMT Not After : Dec 14 13:25:00 2020 GMT Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82: 03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad: 26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec: 6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05: 03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b: c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46: 26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f: a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba: ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b: a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68: cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c: 6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e: 71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72: a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8: 2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17: 90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed: c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0: 74:1d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 02:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B X509v3 Authority Key Identifier: keyid:3A:2E:15:93:05:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:08:EA X509v3 Subject Alternative Name: DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121 Signature Algorithm: sha256WithRSAEncryption bd:b0:c8:25:8b:30:0f:52:da:4f:e7:02:ec:4d:13:30:9a:32: 33:7a:e6:44:7f:61:f8:46:84:51:8b:44:19:73:07:ee:70:e0: 00:89:7d:d7:50:4f:75:52:6d:03:3c:cb:06:1c:80:bc:c2:c3: fc:6d:46:93:37:3c:33:1a:de:92:a0:09:47:20:d1:79:f5:9a: 12:12:4f:15:94:69:fe:8d:7d:48:a6:66:51:f5:af:eb:a4:be: 5e:85:ea:08:5c:b1:1b:f2:73:70:ad:6b:9e:8b:61:1e:8d:4f: a5:da:e2:f6:7c:ea:32:39:0d:2b:3a:4c:78:10:d3:f6:4c:85: 2b:ea:9b:a6:b7:40:61:53:fa:59:9e:83:91:e1:fd:83:9d:aa: c6:f3:a3:d6:79:ee:35:04:b2:11:fe:d4:35:68:0a:18:9b:2a: 2f:34:37:d1:c6:8c:fc:11:6b:74:60:8f:d3:54:ab:6d:75:67: 46:8d:c9:63:f7:8b:94:a5:ba:9a:ee:81:6a:b6:ff:d8:46:89: b1:02:1c:35:30:c8:95:9f:35:7f:59:57:23:d5:2c:c8:b7:4c: ce:a9:15:4f:11:7d:50:98:f4:e8:3e:f5:df:57:70:84:74:c0: 69:fb:36:e9:ef:2d:8a:8d:45:5d:7a:dd:12:25:38:84:00:23: fa:15:cf:f5[root@liumiaocn cert]#
参考内容
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
转载地址:https://liumiaocn.blog.csdn.net/article/details/103556278 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
表示我来过!
[***.240.166.169]2024年04月14日 09时02分00秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
sql注入总结学习
2019-04-30
leetcode46 全排列
2019-04-30
leetcode121 买卖股票的最佳时机
2019-04-30
leetcode 122 买卖股票的最佳时机II
2019-04-30
leetcode 309 最佳买卖股票含冷冻期
2019-04-30
leetcode 714 买卖股票的最佳时机含手续费
2019-04-30
leetcode3 无重复字符的最长子串
2019-04-30
leetcode 76 最小覆盖子串
2019-04-30
leetcode 1143. 最长公共子序列
2019-04-30
leetcode 83. 删除排序链表中的重复元素
2019-04-30
智能体 Intelligent Agent
2019-04-30
Network Compression网络压缩(一)
2019-04-30
GAN系列(零)—— GAN的发展(两条路线)
2019-04-30
Python 之 histogram直方图
2019-04-30
Python 之 Scatter散点图
2019-04-30
Python实现决策树 Desision Tree & 可视化
2019-04-30
决策树 Decision tree
2019-04-30
nominal和ordinal & 数据处理中四种基本数据类型
2019-04-30
Python 实现 Cross-validation
2019-04-30
Grid SearchCV(网格搜索)& Python实现
2019-04-30