Creating Certificates
本文介绍三种制作证书的工具,分别是easyrsa, openssl or cfssl
easyrsa
下载并解压easyrsa
curl -LO https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz
tar xzf easy-rsa.tar.gz
cd easy-rsa-master/easyrsa3
./easyrsa init-pki
[root@kubernetes-build easyrsa3]# ls -l pki/
总用量 0
drwx------. 2 root root 6 4月 21 13:50 private
drwx------. 2 root root 6 4月 21 13:50 reqs
生成证书 (–batch //设置自动模式. –req-cn 默认使用CN.)
./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass
root@kubernetes-build pki]# ls -l
总用量 8
-rw-------. 1 root root 1172 4月 21 13:51 ca.crt
drwx------. 2 root root 6 4月 21 13:51 certs_by_serial
-rw-------. 1 root root 0 4月 21 13:51 index.txt
drwx------. 2 root root 6 4月 21 13:51 issued
drwx------. 2 root root 20 4月 21 13:51 private
drwx------. 2 root root 6 4月 21 13:50 reqs
-rw-------. 1 root root 3 4月 21 13:51 serial
生成服务器证书和密钥。
参数--subject-alt-name
设置API服务器将访问的可能的IP和DNS名称。 MASTER_CLUSTER_IP
通常是来自服务CIDR
的第一个IP,它被指定为API服务器和控制器管理器组件的--service-cluster-ip-range
参数。 参数 --days
用于设置证书过期的天数。 下面的示例还假定您使用cluster.local作为默认的DNS域名。
./easyrsa --subject-alt-name="IP:192.168.1.43,"\
"IP:192.168.1.43,"\
"DNS:kubernetes,"\
"DNS:kubernetes.default,"\
"DNS:kubernetes.default.svc,"\
"DNS:kubernetes.default.svc.cluster,"\
"DNS:kubernetes.default.svc.cluster.local" \
--days=10000 \
build-server-full server nopass
[root@kubernetes-build pki]# ls -l private/
总用量 8
-rw-------. 1 root root 1704 4月 21 13:51 ca.key
-rw-------. 1 root root 1704 4月 21 13:59 server.key
[root@kubernetes-build pki]# ls -l reqs/
总用量 4
-rw-------. 1 root root 1123 4月 21 13:59 server.req
复制 pki/ca.crt, pki/issued/server.crt, and pki/private/server.key
指定存放证书目录
然后通过api-server的启动参数使用证书
--client-ca-file=/yourdirectory/ca.crt
--tls-cert-file=/yourdirectory/server.crt
--tls-private-key-file=/yourdirectory/server.key
openssl
生成2048字节的ca.key
[root@kubernetes-build openssl]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
..............+++
e is 65537 (0x10001)
[root@kubernetes-build openssl]# ls -l
总用量 4
-rw-r--r--. 1 root root 1679 4月 21 14:05 ca.key
使用ca.key生成ca.crt
[root@kubernetes-build openssl]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=192.168.1.43" -days 10000 -out ca.crt
[root@kubernetes-build openssl]# ls -l
总用量 8
-rw-r--r--. 1 root root 1103 4月 21 14:06 ca.crt
-rw-r--r--. 1 root root 1679 4月 21 14:05 ca.key
生成服务server.key
[root@kubernetes-build openssl]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................+++
..............................................+++
e is 65537 (0x10001)
[root@kubernetes-build openssl]# ls -l
总用量 12
-rw-r--r--. 1 root root 1103 4月 21 14:06 ca.crt
-rw-r--r--. 1 root root 1679 4月 21 14:05 ca.key
-rw-r--r--. 1 root root 1679 4月 21 14:07 server.key
创建一个用于生成证书签名请求(CSR)的配置文件。 在将其保存到文件csr.conf,使用cluster.local作为默认的DNS域名。
[root@kubernetes-build openssl]# cat scr.conf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = CH
ST = Beijing
L = Beijing
O = xinao
OU = xinao
CN = 192.168.1.43
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 192.168.1.43
IP.2 = 192.168.1.43
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
根据scr.conf文件创建证书
[root@kubernetes-build openssl]# openssl req -new -key server.key -out server.csr -config scr.conf
[root@kubernetes-build openssl]# ls -l
总用量 20
-rw-r--r--. 1 root root 1103 4月 21 14:06 ca.crt
-rw-r--r--. 1 root root 1679 4月 21 14:05 ca.key
-rw-r--r--. 1 root root 649 4月 21 14:20 scr.conf
-rw-r--r--. 1 root root 1240 4月 21 14:20 server.csr
-rw-r--r--. 1 root root 1679 4月 21 14:07 server.key
如出现以下错误
[root@kubernetes-build openssl]# openssl req -new -key server.key -out server.csr -config scr.conf
problems making Certificate Request
140274975688608:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2
就把国家修改只由两个字符
根据文件ca.key, ca.crt and server.csr
生成服务证书
[root@kubernetes-build openssl]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile scr.conf
Signature ok
subject=/C=CH/ST=Beijing/L=Beijing/O=xinao/OU=xinao/CN=192.168.1.43
Getting CA Private Key
查看证书
[root@kubernetes-build openssl]# openssl x509 -noout -text -in ./server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:91:0d:2b:62:56:2a:71
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=192.168.1.43
Validity
Not Before: Apr 21 06:24:12 2018 GMT
Not After : Sep 6 06:24:12 2045 GMT
Subject: C=CH, ST=Beijing, L=Beijing, O=xinao, OU=xinao, CN=192.168.1.43
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:e1:5a:d6:4c:b9:76:eb:c9:0d:95:31:97:59:
8f:18:72:2d:6d:3b:8f:b1:d5:8f:54:79:50:09:06:
02:ec:65:aa:8c:5d:03:19:3c:3a:88:11:12:4c:b5:
e3:d2:93:d1:85:0d:0a:9b:a4:a9:7c:7a:8a:58:8d:
d9:1d:41:85:01:f6:98:a2:22:40:ce:bb:f7:9e:d4:
1f:d0:47:57:95:05:da:d7:3f:4f:f8:23:d0:b6:eb:
2b:64:bf:b9:53:28:94:81:fe:e3:fc:c4:00:89:6a:
ce:72:1b:43:ea:10:44:6d:e8:6b:b1:6f:dc:cc:7c:
ab:bf:7a:30:f7:70:e4:0e:3a:2d:16:fa:b0:0f:b8:
e2:96:4c:82:68:c4:82:3b:d9:ef:77:18:72:08:d9:
12:7b:82:4b:39:f3:91:37:01:34:b4:fa:d5:28:48:
d6:43:72:e3:c9:4b:5c:c3:a6:66:aa:06:4b:31:74:
d6:8b:86:1a:1b:3a:c9:e0:49:a9:c8:d5:b4:31:d8:
72:c4:8c:02:56:af:e3:02:8b:4d:2a:2b:d2:b7:17:
63:1d:3d:75:6c:53:6d:f7:fd:02:ee:d8:b9:d4:58:
31:5b:9e:96:85:5e:41:9a:9d:ed:d1:a9:02:f4:18:
36:98:79:dc:db:3a:87:b5:90:07:ce:00:89:61:9b:
d6:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C9:BB:16:09:DD:5F:EC:5A:B4:BF:1A:E1:4D:79:62:67:3A:45:84:DF
DirName:/CN=192.168.1.43
serial:E9:0B:50:52:AC:6F:3D:3A
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.1.43, IP Address:192.168.1.43
Signature Algorithm: sha256WithRSAEncryption
26:f7:3a:82:be:92:a3:c3:ca:16:6a:9f:c9:5c:2a:e7:24:f3:
fa:a4:e9:d9:bd:59:40:bb:4a:a2:27:4b:1b:11:52:72:b9:39:
d3:8d:8e:58:18:7c:7a:11:94:fe:4b:0c:e3:e1:b9:dd:3b:b1:
31:85:3c:cf:a2:b9:21:fb:d2:7a:9e:2d:8e:75:62:8b:b1:e4:
3f:e5:f3:ca:6e:b1:ed:98:ff:7b:9f:60:cf:d1:76:f3:ab:e4:
0c:4a:79:12:86:cf:c9:f0:a8:3a:ff:d8:04:73:01:2d:d4:c2:
28:33:5f:76:cd:b0:52:21:d0:d2:6f:a5:98:22:af:10:79:71:
de:bc:30:cd:2a:e7:a4:89:a3:8f:60:eb:80:30:8f:93:cd:71:
15:4a:b4:3e:be:ad:64:40:bd:4d:65:37:54:0b:58:33:b4:10:
63:a9:47:27:bf:bc:27:a2:8f:1b:d4:eb:8f:94:aa:79:20:93:
aa:1b:c7:5e:19:52:f5:6a:fc:f9:de:9c:f6:6e:2b:0f:92:11:
71:c1:eb:58:89:cb:db:03:ea:36:b9:7d:f7:3c:6d:ac:e3:f4:
80:65:25:b2:1b:3a:de:20:a4:a3:da:60:5c:2e:97:cf:46:3b:
85:22:a7:d7:a8:62:be:79:c8:ed:91:36:89:92:33:54:44:f9:
7b:ce:73:d4
然后通过api-server的启动参数使用证书
--client-ca-file=/yourdirectory/ca.crt
--tls-cert-file=/yourdirectory/server.crt
--tls-private-key-file=/yourdirectory/server.key
cfssl
下载解压cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl
chmod +x cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson
chmod +x cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo
chmod +x cfssl-certinfo
[root@kubernetes-build cfssl]# ls -l
总用量 18808
-rwxr-xr-x. 1 root root 10376657 4月 21 14:31 cfssl
-rwxr-xr-x. 1 root root 6595195 4月 21 14:34 cfssl-certinfo
-rwxr-xr-x. 1 root root 2277873 4月 21 14:32 cfssljson
初始化cfssl
mkdir cert
cd cert
../cfssl print-defaults config > config.json
../cfssl print-defaults csr > csr.json
创建ca的配置文件
vi ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
创建ca-csr.json文件
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names":[{
"C": "CH",
"ST": "Beijing",
"L": "Beijing",
"O": "xinao",
"OU": "xinao"
}]
}
生成ca-key.pem ca.pem证书文件
../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca
-rw-------. 1 root root 1675 4月 21 14:38 ca-key.pem
-rw-r--r--. 1 root root 1363 4月 21 14:38 ca.pem
创建服务证书的配置文件server-csr.json
vi server-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.43",
"192.168.1.144",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CH",
"ST": "Beijing",
"L": "Beijing",
"O": "xiaoao",
"OU": "xinao"
}]
}
生成服务证书
[root@kubernetes-build cert]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-config.json -profile=kubernetes server-csr.json | ../cfssljson -bare server
2018/04/21 14:51:23 [INFO] generate received request
2018/04/21 14:51:23 [INFO] received CSR
2018/04/21 14:51:23 [INFO] generating key: rsa-2048
2018/04/21 14:51:23 [INFO] encoded CSR
2018/04/21 14:51:23 [INFO] signed certificate with serial number 713854579205162235239808671777172304454503834002
2018/04/21 14:51:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
-rw-------. 1 root root 1679 4月 21 14:51 server-key.pem
-rw-r--r--. 1 root root 1614 4月 21 14:51 server.pem
然后通过api-server的启动参数使用证书
--client-ca-file=/yourdirectory/ca.crt
--tls-cert-file=/yourdirectory/server.crt
--tls-private-key-file=/yourdirectory/server.key
参考:
certificates