自签https证书
使用cfssl制作自签证书
工具下载
test -x /usr/bin/cfssljson || wget http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssljson
test -x /usr/bin/cfssl || wget http://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
test -x /usr/bin/cfssl-certinfo || wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*
自签证书机构
1、自签证书授权:ca-config.json
{
"signing":{
"default": {
"expiry":"87600h"
},
"profiles": {
"www":{
"expiry":"87600h",
"usages": [
"singing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
2、自签证书机构:ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"ca": {
"expiry": "438000h"
}
}
3、制作CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
颁发企业证书
创建企业配置文件(demo-csr.json)
{
"CN":"demo", // 申请单位或者姓名
"hosts": [], // 受信任的IP
"key": {
"algo": "rsa",
"size": 2048
},
"names": [ // 机构名称
{
"C":"CN",
"L":"Beijing",
"ST":"Beijing"
}
]
}
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www demo-csr.json | cfssljson -bare server