k8s cfssl自签证书

1. 下载 cfssl 工具

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
# cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*


cfssl -- 命令行工具
cfssljsion -- 从cfssl获取JSON输出
cfssl-certinfo -- 查看证书信息

2. 创建CA

# 创建ca命令 -> ca-pem、ca-key.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

3. 填写表单申请证书

# 生成证书命令 -> server.pem、server-key.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

json 文件及参数说明

# 请求创建ca签名申请表
cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

# ca配置文件，指定ca有效期、使用场景
cat < ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

# 请求证书申请表
cat > server-csr.json << EOF
    "CN": "etcd",
    "hosts": [
        "192.168.31.63",
        "192.168.31.65",
        "192.168.31.66"
        ],
    "key": { 
        "algo": "rsa",
        "size": 2048
    },      
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}

EOF






server-csr.json -- 请求证书申请表
ca-config.json -- 指定ca有效期、使用场景
ca-csr.json -- 请求创建ca签名申请表
profile -- 使用场景

*key.pem --私钥
*pem -- 公钥