详见:手动生成证书 | Kubernetes
# 1、下载cfssl、cfssljson、cfssl-certinfo
# cfssl:用于签发证书
# cfssljson:将cfssl签发生成的证书(json格式)变成文件承载式文件
# cfssl-certinfo:验证查看证书信息
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
# 2、给cfssl、cfssljson、cfssl-certinfo添加可执行权限
chmod +x /usr/local/bin/cfssl*
详见:https://github.com/cloudflare/cfssl
安装go:
# 1、下载页面:https://go.dev/dl/
# 2、下载go
wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz
# 3、解压
tar -xf go1.21.6.linux-amd64.tar.gz
# 4、移动go到/usr/local/go
mv go /usr/local/go
# 5、添加到环境变量
vi /root/.bash_profile
# 6、/root/.bash_profile文件内容:
# 内容开始----------------------------------------------
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
# 【此处添加go相关信息,并追加到PATH环境变量中】
GO_PATH=/usr/local/go/bin
PATH=$PATH:$HOME/bin:$GO_PATH
export PATH
# 内容结束----------------------------------------------
# 7、使环境变量生效
source /root/.bash_profile
# 8、在任意目录执行
go version
安装cfssl:
# 1、下载页面:https://github.com/cloudflare/cfssl/releases
# 2、下载cfssl
wget https://github.com/cloudflare/cfssl/archive/refs/tags/v1.6.4.tar.gz -O cfssl-1.6.4.tar.gz
# 3、解压
tar -xf cfssl-1.6.4.tar.gz
# 4、进入目录
cd cfssl-1.6.4
# 5、编译
make
# 6、查看编译后的可执行文件
ls bin
# 7、可将bin目录下的文件移动到/usr/local/bin
# 移动部分可执行文件
mv cfssl /usr/local/bin/cfssl
mv cfssl-certinfo /usr/local/bin/cfssl-certinfo
mv cfssljson /usr/local/bin/cfssljson
https://github.com/cloudflare/cfssl/tree/master
查看某个命令使用:cfssl [command] -help,其中[command]为某个命令名称
# cfssl命令,cfssl 或者 cfssl -help 或者 cfssl -h 或者 cfssl [command] -h
cfssl
No command is given.
Usage:
Available commands:
ocspdump
revoke 吊销证书
info 获取签名者信息
serve 启动HTTP API服务器
genkey 生成私钥和证书请求
ocspserve
scan
selfsign 生成自签证书
bundle 生成证书bundle
certinfo 查看证书信息
ocsprefresh
ocspsign
print-defaults 打印默认配置
sign 签名证书
version 查看版本
gencert 生成私钥和证书
gencrl 生成新的证书吊销列表
Top-level flags:
-allow_verification_with_non_compliant_keys
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
-loglevel int
Log level (0 = DEBUG, 5 = FATAL) (default 1)
# 查看config默认配置
cfssl print-defaults config
# 默认配置数据
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
# 查看csr默认配置
cfssl print-defaults csr
# csr默认数据
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
CN字段说明:
hosts字段说明:
注意:
1) 超过该集合范围的任何请求都不会被支持认证通过。
2) CA根证书及其私钥创建过程不需要甚至该字段。其它服务证书创建必须有该字段。
3) hosts设置技巧:一般都把"127.0.0.1"包含进去;推荐使用域名或vip(vip即虚拟ip),尽量不要用ip地址,否则后期遇到某个服务所在机器宕机要重新更换某1台或多台机器时会面临证书认证不通过的毁灭性尴尬情况,导致扩容失败,集群服务面临毁灭性灾难。这里强烈推荐用域名或vip地址,另外,如果有条件,配置之处建议多预留1-3个host地址,防止后期扩容困难
key字段说明:
names字段说明:
# genkey命令
cfssl genkey -h
# genkey命令说明
cfssl genkey -- generate a new key and CSR
Usage of genkey:
cfssl genkey CSRJSON
Arguments:
CSRJSON: JSON file containing the request, use '-' for reading JSON from stdin
Flags:
-initca=false: initialise new CA
-config="": path to configuration file
csr.json文件:
{
"CN": "test",
"hosts": [
"example.com",
"www.example.com",
"https://www.example.com",
"[email protected]",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "Internet Widgets, Inc.",
"OU": "WWW",
"ST": "California"
}
]
}
# 生成证书签名请求和私钥
cfssl genkey csr.json
# 显示结果{"csr":"证书签名请求","key":"私钥"}
{"csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIDKDCCAhACAQAweDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx\nFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHzAdBgNVBAoTFkludGVybmV0IFdpZGdl\ndHMsIEluYy4xDDAKBgNVBAsTA1dXVzENMAsGA1UEAxMEdGVzdDCCASIwDQYJKoZI\nhvcNAQEBBQADggEPADCCAQoCggEBALiGBaS3cwbvPiCMn7E4Gtv8RcwhNssoZG64\nF9sK0Zdg4nlBz6/MJg23cRAPPgxUfFXd/Ad1S3K1xiOOW/Ron7pY4MIAfBXDv4NZ\n2w+Vz4tAGVIW32178dkRzFh9DcYSK0bTkJoHqxJ0uPr5cUcB8EmDkqoi2k4pp6lL\nfNaHP/CMz/fcYUuFEhKGrwQjVUpudcFSGbEYExw9omjLTXPcv5ETCM+99ykq4M/g\nfrE8c1AOO9E7faOJ6DUzCoG1COL92wuQa8U4gqfQL944VodoW62nQLo0ldHbCerW\n1AuX2Jx/hRtproPo+MHOn71eiKm/uqZNHyzXJuW6/GX/tQvkjN8CAwEAAaBrMGkG\nCSqGSIb3DQEJDjFcMFowWAYDVR0RBFEwT4ILZXhhbXBsZS5jb22CD3d3dy5leGFt\ncGxlLmNvbYIXaHR0cHM6Ly93d3cuZXhhbXBsZS5jb22BEGpkb2VAZXhhbXBsZS5j\nb22HBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAEW4O5auXbUPhjPiknlydWMINGJ3\nk6+/zq/9J7gBaTrRH/wSeXJrbekrww/1tkRCUFLCQgczWgcaKO34j0nWIsUOSIdl\nytpzVheiB3+WIot62N6rBOpiCSRXOs9KWA1cK7lz8UcBi1GdgeEekXZSd3LJswO6\nLCTwM1dJUxzNDBHrS/UwGINBteLnqIK4O9pJHG564u1ArMncErs0tSCH7zOPcQWp\n1zbw2rL1LMo/ej8SNyr5LdlZJ9fqI6DQi0etUYUVmt/ErM86/SpIlPTL2a6I6fFb\nJ/L3K0oCEL9LC/CNMB8ZxTLjoqSgoCwlr4V54amiel31ewly2rbNCqRItgc=\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAuIYFpLdzBu8+IIyfsTga2/xFzCE2yyhkbrgX2wrRl2DieUHP\nr8wmDbdxEA8+DFR8Vd38B3VLcrXGI45b9GifuljgwgB8FcO/g1nbD5XPi0AZUhbf\nbXvx2RHMWH0NxhIrRtOQmgerEnS4+vlxRwHwSYOSqiLaTimnqUt81oc/8IzP99xh\nS4USEoavBCNVSm51wVIZsRgTHD2iaMtNc9y/kRMIz733KSrgz+B+sTxzUA470Tt9\no4noNTMKgbUI4v3bC5BrxTiCp9Av3jhWh2hbradAujSV0dsJ6tbUC5fYnH+FG2mu\ng+j4wc6fvV6Iqb+6pk0fLNcm5br8Zf+1C+SM3wIDAQABAoIBAHG03Mto5HAUg2NJ\nZKqvWRXQei5VFU/Rnzn/JWwsWYWABW8VV+cL1TNEpF5yFhlBArFjLohmBk00qFmG\nwzF0O2F4nV/PLqe2zVAi0fPjrFYx9Kh6QcpUw26xIgwxW4h/770gaA4SxZ+E3+yA\nRAausiSK+JjxCzd5QcD4LICCLauL/kFgIjNajTjGfjVmsDJDUF9Q5kUbcfnEj0+d\nTIG9k6XzkAgboS7o6dBK0BXDrWr2Btnzmbf0eJUXFVZkpYaHcwgqo988e8ubsoBb\niq33BDyH5+VGc/Vr5BwRoAxQOdx0JgISKMv09l0fD/DvIHivymIw5BYgn8c2/bOL\nLCDPn6kCgYEA1dp9cbXvMsG+2gEOwnTeQlrY7P3Wa5FcGtF3n6Z4ZF2D+SdwcdgO\nKPepwHe9yMYDnfQkj8eoAd6evgnAXyCqXCrFD9V83S3qj8Pdo8mw2hTcxfx6kYNX\ny5zpdgnEH6tYXr0qaGZs5WUv+q372lG8OfGfMGRrLpJVG3rTd/beDKMCgYEA3OPA\n2b5Qo/5Ejt8u7wJ/Q+wKWKx5vcWgl7KHqgfGB/+0X19OIKGcQQTa+J2dQCkfM1ZL\nYuegmtMavvQ5rrpNGJT7bwr+pjedB9cSbvr9zEkgw1cj/ZNSxak6tV130ZVr3864\nADBm2CYWyyUO26fz9yf9fdqNl7U8QEDta9uNJpUCgYB7nn19SeonsQ+d/ZaGmgAQ\n42saM/HK5JAVgJhh1V0qx1QOptm9NWOaEvAxrgYrFSvqFsM7yfI4gnPI7uIhG0Tf\nWmnnqUUwpeY9jL+GeoSczAqC+Fvx2bbaoK3j6elRVT8UJM1q5Cp2wHNnuUMpBK6F\n4EJhOusqVLSV2f58Dlx1eQKBgCC/UzP01xe49okH5XlhsWRsdgw3ZcUQq4JR4XL/\nvAgrjJ4nDvofe37YLW52T33XmtyNipebJ2BMs8Zjhrm0vQFL9Qq9YotZ61niNMVn\nSIEkxkqvfJJ3aOoM8Ls6pCzaLif8CaNdiaG5498yG0XNXInjz9z8rck0AT61YX2A\nCykRAoGAPbr3tp/XbRWDUvZNrK+lAhUEFjuFU9pBQFqBPTlFS45OrotE806QVrYi\n4vcYqvHbSypSecI10DEE7RbxIYaCr9pMqdPvlUkopp1mw5hmZprn5lE2Gz0Y/dv0\n+Aso0bCLAT7H7hx9/58h9y4IBbFOVop7g0wnZS/t18NqgO+PHE8=\n-----END RSA PRIVATE KEY-----\n"}
# 生成自签名根 CA 证书和私钥
cfssl genkey -initca csr.json | cfssljson -bare ca
# 查看文件列表
ls
# 显示内容,输出中将出现三个 PEM 编码的实体:私钥、csr 和自签名证书
ca.csr ca-key.pem ca.pem csr.json
# 查看gencert命令
cfssl gencert -h
# gencert命令说明
cfssl gencert -- generate a new key and signed certificate
Usage of gencert:
Generate a new key and cert from CSR:
cfssl gencert -initca CSRJSON
cfssl gencert -ca cert -ca-key key [-config config] [-profile profile] [-hostname hostname] CSRJSON
cfssl gencert -remote remote_host [-config config] [-profile profile] [-label label] [-hostname hostname] CSRJSON
Re-generate a CA cert with the CA key and CSR:
cfssl gencert -initca -ca-key key CSRJSON
Re-generate a CA cert with the CA key and certificate:
cfssl gencert -renewca -ca cert -ca-key key
Arguments:
CSRJSON: JSON file containing the request, use '-' for reading JSON from stdin
Flags:
-initca=false: initialise new CA
-remote="": remote CFSSL server
-ca="": CA used to sign the new certificate
-ca-key="": CA private key
-config="": path to configuration file
-hostname="": Hostname for the cert, could be a comma-separated hostname list
-profile="": signing profile to use
-label="": key label to use in remote CFSSL server
利用CA根证书及其私钥文件签发生成其它证书及其私钥
步骤如下:
- 创建CA根证书配置文件(ca-config.json、ca-csr.json)、目标证书签名请求文件(server-csr.json)
- 生成CA根证书及其私钥
- 生成目标证书和私钥
- 校验证书
详见:手动生成证书 | Kubernetes
ca-config.json文件(用来生成 CA 文件):
CA根证书配置文件,一般命名为ca-config.json,它用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等),后续在签名其它证书时需要指定特定场景 (profile)。
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
ca-csr.json文件(用于 CA 证书签名请求):
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names":[{
"C": "",
"ST": "",
"L": "",
"O": "",
"OU": ""
}]
}
server-csr.json文件(用来为 API 服务器生成秘钥和证书):
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"",
"",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "",
"ST": "",
"L": "",
"O": "",
"OU": ""
}]
}
生成 CA 秘钥文件(ca-key.pem
)和证书文件(ca.pem
)
# 生成CA根证书及其私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 使用命令ls查看文件列表
ca.csr ca-csr.json ca-key.pem ca.pem
# 注意:cfssljson -bare + 命名文件名,
# 如本例中的ca,表示生成ca.pem和ca-key.pem,分别为证书和私钥文件。
# 生成的ca.pem是CA根证书文件,ca-key.pem是其私钥文件。
# 至此,CA根证书及其私钥文件已经生成,便可以用它们来签发其他认证文件了。
生成秘钥和证书,默认会分别存储为server-key.pem
和 server.pem
两个文件。
# 生成目标证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
--config=ca-config.json -profile=kubernetes \
server-csr.json | cfssljson -bare server
# 参数说明;
# -ca: 根证书
# -ca-key: 根秘钥
# -config: 根证书的配置文件(里面定义了很多场景)
# -profile: 选择根证书配置文件里的一个场景
# server-csr.json : 申请证书的对象的相关信息配置文件
# -bare:制造的证书文件的文件名称(或前缀)
# 使用ls命令查看文件列表
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem
# 方式1:使用openssl命令校验证书
openssl x509 -noout -text -in etcd.pem
# 说明:
# 确认 Issuer 字段的内容和 ca-csr.json 一致;
# 确认 Subject 字段的内容和 etcd-csr.json 一致;
# 确认 X509v3 Subject Alternative Name 字段的内容和 etcd-csr.json 一致;
# 确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.json 中 etcd-opprofile 一致;
# 方式2:使用cfssl-certinfo命令校验证书
cfssl-certinfo -cert ca.pem
详见:
https://github.com/cloudflare/cfssl
Introducing CFSSL - CloudFlare's PKI toolkit
手动生成证书 | Kubernetes
CloudFlare 开源证书管理工具 cfssl 详细使用教程 - 知乎
cfssl自签CA证书用于TLS/SSL认证技术指南
cfssl使用方法重新整理说明-CSDN博客
我在B站学运维之SSL与TLS协议原理与证书签名多种生成方式实践指南 - 哔哩哔哩
cfssl证书工具_Star-Seven的技术博客_51CTO博客