使用cfssl创建ssl证书

CFSSL安装

• 下载安装

下载地址:  https://github.com/cloudflare/cfssl/releases

下载： 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 

安装：将下载的cfssl移动到/usr/bin目录下，并附加执行权限
mv cfssl-certinfo_1.5.0_linux_amd64 /usr/bin/cfssl-certinfo && chmod +x /usr/bin/cfssl-certinfo 
mv cfssljson_1.5.0_linux_amd64  /usr/bin/cfssljson && chmod +x /usr/bin/cfssljson 
mv cfssl_1.5.0_linux_amd64 /usr/bin/cfssl && chmod +x /usr/bin/cfssl 

示例

生成ca证书

• 初始化

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

• 修改ca-config.json和ca-csr.json文件
  修改ca-config.json

{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "server": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

修改ca-csr.json文件

{
    "CN": "ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "JiangSu",
            "L": "JiangSu"
        }
    ]
}

• 生成ca证书

# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

使用ca证书为etcd颁发签名证书

• 修改etcd-csr.json文件

{
    "CN": "etcd",
    "hosts": [
        "192.168.10.42",
        "192.168.10.43",
        "192.168.10.44"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "JiangSu",
            "L": "JiangSu"
        }
    ]
}

• 使用ca证书为etcd签发证书

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd-csr.json | cfssljson -bare etcd

• 自签证书可转为浏览器可用的p12证书(可选)

 openssl pkcs12 -export -in apiserver.pem  -out apiserver.p12 -inkey apiserver-key.pem