使用cfssl创建ssl证书

文章目录

          • CFSSL安装
          • 示例
            • 生成ca证书
            • 使用ca证书为etcd颁发签名证书

CFSSL安装
  • 下载安装
下载地址:  https://github.com/cloudflare/cfssl/releases
下载: 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 

安装:将下载的cfssl移动到/usr/bin目录下,并附加执行权限
mv cfssl-certinfo_1.5.0_linux_amd64 /usr/bin/cfssl-certinfo && chmod +x /usr/bin/cfssl-certinfo 
mv cfssljson_1.5.0_linux_amd64  /usr/bin/cfssljson && chmod +x /usr/bin/cfssljson 
mv cfssl_1.5.0_linux_amd64 /usr/bin/cfssl && chmod +x /usr/bin/cfssl 
示例
生成ca证书
  • 初始化
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
  • 修改ca-config.json和ca-csr.json文件
    修改ca-config.json
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "server": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

修改ca-csr.json文件

{
    "CN": "ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "JiangSu",
            "L": "JiangSu"
        }
    ]
}
  • 生成ca证书
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
使用ca证书为etcd颁发签名证书
  • 修改etcd-csr.json文件
{
    "CN": "etcd",
    "hosts": [
        "192.168.10.42",
        "192.168.10.43",
        "192.168.10.44"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "JiangSu",
            "L": "JiangSu"
        }
    ]
}
  • 使用ca证书为etcd签发证书
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd-csr.json | cfssljson -bare etcd
  • 自签证书可转为浏览器可用的p12证书(可选)
 openssl pkcs12 -export -in apiserver.pem  -out apiserver.p12 -inkey apiserver-key.pem

你可能感兴趣的:(Kubernetes,etcd,https,ssl)