本文共 12071 字，大约阅读时间需要 40 分钟。

步骤1: 下载cfssl工具并设定权限

[root@liumiaocn cfssl]# curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64[root@liumiaocn cfssl]# curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64[root@liumiaocn cfssl]# curl -s -L -o cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64[root@liumiaocn cfssl]# chmod +x cfssl*[root@liumiaocn cfssl]# lscfssl  cfssl-certinfo  cfssljson[root@liumiaocn cfssl]# ./cfssl versionVersion: 1.2.0Revision: devRuntime: go1.6[root@liumiaocn cfssl]#

步骤2: 初始化私钥和证书签名请求配置文件

执行命令：mkdir cert && cd cert

…/cfssl print-defaults config > config.json

…/cfssl print-defaults csr > csr.json

[root@liumiaocn cfssl]# mkdir cert && cd cert[root@liumiaocn cert]# ../cfssl print-defaults config > config.json[root@liumiaocn cert]# ../cfssl print-defaults csr > csr.json[root@liumiaocn cert]# lsconfig.json  csr.json[root@liumiaocn cert]# cat config.json {
       "signing": {
           "default": {
               "expiry": "168h"        },        "profiles": {
               "www": {
                   "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "server auth"                ]            },            "client": {
                   "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "client auth"                ]            }        }    }}[root@liumiaocn cert]# cat csr.json {
       "CN": "example.net",    "hosts": [        "example.net",        "www.example.net"    ],    "key": {
           "algo": "ecdsa",        "size": 256    },    "names": [        {
               "C": "US",            "L": "CA",            "ST": "San Francisco"        }    ]}[root@liumiaocn cert]#

步骤3: 创建CA证书所需要的配置文件

根据步骤2中生成的配置模版文件生成CA证书所需要的配置文件。

[root@liumiaocn cert]# mv config.json ca-config.json[root@liumiaocn cert]# vi ca-config.json [root@liumiaocn cert]# cat ca-config.json {  "signing": {    "default": {      "expiry": "8760h"    },    "profiles": {      "kubernetes": {        "usages": [          "signing",          "key encipherment",          "server auth",          "client auth"        ],        "expiry": "8760h"      }    }  }}[root@liumiaocn cert]#

步骤4: 证书签名请求的配置文件

根据步骤2生成的模版文件生成CA证书所需要的CSR证书签名请求的配置文件

[root@liumiaocn cert]# mv csr.json ca-csr.json[root@liumiaocn cert]# vi ca-csr.json [root@liumiaocn cert]# cat ca-csr.json {  "CN": "kubernetes",  "key": {    "algo": "rsa",    "size": 2048  },  "names":[{    "C": "CN",    "ST": "LiaoNing",    "L": "DaLian",    "O": "kubernetes",    "OU": "kubernetes"  }]}[root@liumiaocn cert]#

步骤5: 生成CA私钥、CSR文件和CA证书

执行命令：…/cfssl gencert -initca ca-csr.json | …/cfssljson -bare ca

[root@liumiaocn cert]# lsca-config.json  ca-csr.json[root@liumiaocn cert]# ../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca2019/12/15 08:19:58 [INFO] generating a new CA key and certificate from CSR2019/12/15 08:19:58 [INFO] generate received request2019/12/15 08:19:58 [INFO] received CSR2019/12/15 08:19:58 [INFO] generating key: rsa-20482019/12/15 08:19:58 [INFO] encoded CSR2019/12/15 08:19:58 [INFO] signed certificate with serial number 70459559078642252693355267095723608645726377632[root@liumiaocn cert]# lsca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem[root@liumiaocn cert]# file ca.csr ca-key.pem ca.pem ca.csr:     PEM certificate requestca-key.pem: PEM RSA private keyca.pem:     PEM certificate[root@liumiaocn cert]#

步骤6: 创建server端所需要的CSR配置文件

创建如下所需要的server端配置所需要的内容

[root@liumiaocn cert]# vi server-csr.json[root@liumiaocn cert]# cat server-csr.json {
     "CN": "kubernetes",  "hosts": [    "127.0.0.1",    "192.168.163.121",    ".10.254.0.1",    "kubernetes",    "kubernetes.default",    "kubernetes.default.svc",    "kubernetes.default.svc.cluster",    "kubernetes.default.svc.cluster.local"  ],  "key": {
       "algo": "rsa",    "size": 2048  },  "names": [{
       "C": "CN",    "ST": "LiaoNing",    "L": "DaLian",    "O": "kubernetes",    "OU": "kubernetes"  }]}[root@liumiaocn cert]#

步骤7: 生成server端证书

执行命令：…/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem

–config=ca-config.json -profile=kubernetes

server-csr.json | …/cfssljson -bare server

[root@liumiaocn cert]# lsca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  server-csr.json[root@liumiaocn cert]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \> --config=ca-config.json -profile=kubernetes \> server-csr.json | ../cfssljson -bare server2019/12/15 08:29:55 [INFO] generate received request2019/12/15 08:29:55 [INFO] received CSR2019/12/15 08:29:55 [INFO] generating key: rsa-20482019/12/15 08:29:56 [INFO] encoded CSR2019/12/15 08:29:56 [INFO] signed certificate with serial number 3379844524592180160323737563879359736675276805792019/12/15 08:29:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@liumiaocn cert]# ls server*server.csr  server-csr.json  server-key.pem  server.pem[root@liumiaocn cert]#

证书结果确认

[root@liumiaocn cert]# ../cfssl-certinfo -cert server.pem{  "subject": {    "common_name": "kubernetes",    "country": "CN",    "organization": "kubernetes",    "organizational_unit": "kubernetes",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "kubernetes",      "kubernetes",      "kubernetes"    ]  },  "issuer": {    "common_name": "kubernetes",    "country": "CN",    "organization": "kubernetes",    "organizational_unit": "kubernetes",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "kubernetes",      "kubernetes",      "kubernetes"    ]  },  "serial_number": "337984452459218016032373756387935973667527680579",  "sans": [    ".10.254.0.1",    "kubernetes",    "kubernetes.default",    "kubernetes.default.svc",    "kubernetes.default.svc.cluster",    "kubernetes.default.svc.cluster.local",    "127.0.0.1",    "192.168.163.121"  ],  "not_before": "2019-12-15T13:25:00Z",  "not_after": "2020-12-14T13:25:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "3A:2E:15:93:5:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:8:EA",  "subject_key_id": "2:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B",  "pem": "-----BEGIN CERTIFICATE-----\nMIIEljCCA36gAwIBAgIUOzO/PFQ1NhwjrD6adzmLs4XHYkMwDQYJKoZIhvcNAQEL\nBQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMx\nEzARBgNVBAMTCmt1YmVybmV0ZXMwHhcNMTkxMjE1MTMyNTAwWhcNMjAxMjE0MTMy\nNTAwWjBwMQswCQYDVQQGEwJDTjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcT\nBkRhTGlhbjETMBEGA1UEChMKa3ViZXJuZXRlczETMBEGA1UECxMKa3ViZXJuZXRl\nczETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAMp6qS0hPYtxffzDTgyCAx+bygxlk5BgKKKMthatJnLMJn19GO1mKwcq\n8izsa7Ub1S3bSC6R/LjfT8QFA20t7RMrxd0PefihAYRrxnsoH0mGjJnNx+XrI+JG\nJnSdOKhKBBdp0oNvi5J/oG2mlAx+GCtrp6bU12G6rbc/DDR5zWfCieGrP42boCm+\nlk44MiGIAY9IKdlozxwGOAwNutI4D96XJClMa9nznv6uH97G6aGAmflucVXpZ3dP\nxvmmwzeNyXtyqdR63FklCFkM7tJI1mT4LVvgXGjEhJlH718nmLkXkH8aHqFsCWxK\nrRbnGybtw6fUqXmK2yVx6UzpXd3AdB0CAwEAAaOCASYwggEiMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUAmyhghh/R1X1lO667xGnln9S24swHwYDVR0jBBgwFoAUOi4V\nkwVy0Jn/80/ShugU512yCOowgaIGA1UdEQSBmjCBl4ILLjEwLjI1NC4wLjGCCmt1\nYmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVz\nLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoo3kwDQYJKoZIhvcN\nAQELBQADggEBAL2wyCWLMA9S2k/nAuxNEzCaMjN65kR/YfhGhFGLRBlzB+5w4ACJ\nfddQT3VSbQM8ywYcgLzCw/xtRpM3PDMa3pKgCUcg0Xn1mhISTxWUaf6NfUimZlH1\nr+ukvl6F6ghcsRvyc3Cta56LYR6NT6Xa4vZ86jI5DSs6THgQ0/ZMhSvqm6a3QGFT\n+lmeg5Hh/YOdqsbzo9Z57jUEshH+1DVoChibKi80N9HGjPwRa3Rgj9NUq211Z0aN\nyWP3i5SluprugWq2/9hGibECHDUwyJWfNX9ZVyPVLMi3TM6pFU8RfVCY9Og+9d9X\ncIR0wGn7NunvLYqNRV163RIlOIQAI/oVz/U=\n-----END CERTIFICATE-----\n"}[root@liumiaocn cert]#

可以看到实际这是x509 v3格式的证书，也可以直接使用openssl命令确认证书的内容，只是显示的方式有所不同。

[root@liumiaocn cert]# openssl x509 -noout -in server.pem -textCertificate:    Data:        Version: 3 (0x2)        Serial Number:            3b:33:bf:3c:54:35:36:1c:23:ac:3e:9a:77:39:8b:b3:85:c7:62:43        Signature Algorithm: sha256WithRSAEncryption        Issuer: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes        Validity            Not Before: Dec 15 13:25:00 2019 GMT            Not After : Dec 14 13:25:00 2020 GMT        Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82:                    03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad:                    26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec:                    6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05:                    03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b:                    c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46:                    26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f:                    a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba:                    ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b:                    a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68:                    cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c:                    6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e:                    71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72:                    a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8:                    2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17:                    90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed:                    c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0:                    74:1d                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Key Usage: critical                Digital Signature, Key Encipherment            X509v3 Extended Key Usage:                 TLS Web Server Authentication, TLS Web Client Authentication            X509v3 Basic Constraints: critical                CA:FALSE            X509v3 Subject Key Identifier:                 02:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B            X509v3 Authority Key Identifier:                 keyid:3A:2E:15:93:05:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:08:EA            X509v3 Subject Alternative Name:                 DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121    Signature Algorithm: sha256WithRSAEncryption         bd:b0:c8:25:8b:30:0f:52:da:4f:e7:02:ec:4d:13:30:9a:32:         33:7a:e6:44:7f:61:f8:46:84:51:8b:44:19:73:07:ee:70:e0:         00:89:7d:d7:50:4f:75:52:6d:03:3c:cb:06:1c:80:bc:c2:c3:         fc:6d:46:93:37:3c:33:1a:de:92:a0:09:47:20:d1:79:f5:9a:         12:12:4f:15:94:69:fe:8d:7d:48:a6:66:51:f5:af:eb:a4:be:         5e:85:ea:08:5c:b1:1b:f2:73:70:ad:6b:9e:8b:61:1e:8d:4f:         a5:da:e2:f6:7c:ea:32:39:0d:2b:3a:4c:78:10:d3:f6:4c:85:         2b:ea:9b:a6:b7:40:61:53:fa:59:9e:83:91:e1:fd:83:9d:aa:         c6:f3:a3:d6:79:ee:35:04:b2:11:fe:d4:35:68:0a:18:9b:2a:         2f:34:37:d1:c6:8c:fc:11:6b:74:60:8f:d3:54:ab:6d:75:67:         46:8d:c9:63:f7:8b:94:a5:ba:9a:ee:81:6a:b6:ff:d8:46:89:         b1:02:1c:35:30:c8:95:9f:35:7f:59:57:23:d5:2c:c8:b7:4c:         ce:a9:15:4f:11:7d:50:98:f4:e8:3e:f5:df:57:70:84:74:c0:         69:fb:36:e9:ef:2d:8a:8d:45:5d:7a:dd:12:25:38:84:00:23:         fa:15:cf:f5[root@liumiaocn cert]#

参考内容

https://kubernetes.io/docs/concepts/cluster-administration/certificates/

转载地址：https://liumiaocn.blog.csdn.net/article/details/103556278 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！