自签https证书

使用cfssl制作自签证书

工具下载

test -x /usr/bin/cfssljson || wget http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssljson
test -x /usr/bin/cfssl || wget http://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
test -x /usr/bin/cfssl-certinfo || wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*

自签证书机构

1、自签证书授权:ca-config.json

{
    "signing":{
        "default": {
            "expiry":"87600h"
        },
        "profiles": {
            "www":{
                "expiry":"87600h",
                "usages": [
                    "singing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

2、自签证书机构:ca-csr.json

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "ca": {
    "expiry": "438000h"
  }
}

3、制作CA证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

颁发企业证书

创建企业配置文件(demo-csr.json)

{
    "CN":"demo",        // 申请单位或者姓名
    "hosts": [],		// 受信任的IP
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [          // 机构名称
        {
            "C":"CN",
            "L":"Beijing",
            "ST":"Beijing"
        }
    ]
}

生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www demo-csr.json | cfssljson -bare server