CFSSL: 证书管理工具:4:生成Kubernetes集群证书

在这里插入图片描述
使用CFSSL生成kubernetes集群创建所需要的证书非常简单,而且配置文件使用JSON也很容易理解,参照官方给的示例方法,进行示例创建。

步骤1: 下载cfssl工具并设定权限

[root@liumiaocn cfssl]# curl -s -L -o cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@liumiaocn cfssl]# curl -s -L -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@liumiaocn cfssl]# curl -s -L -o cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@liumiaocn cfssl]# chmod +x cfssl*
[root@liumiaocn cfssl]# ls
cfssl  cfssl-certinfo  cfssljson
[root@liumiaocn cfssl]# ./cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@liumiaocn cfssl]#

步骤2: 初始化私钥和证书签名请求配置文件

执行命令:mkdir cert && cd cert
…/cfssl print-defaults config > config.json
…/cfssl print-defaults csr > csr.json

[root@liumiaocn cfssl]# mkdir cert && cd cert
[root@liumiaocn cert]# ../cfssl print-defaults config > config.json
[root@liumiaocn cert]# ../cfssl print-defaults csr > csr.json
[root@liumiaocn cert]# ls
config.json  csr.json
[root@liumiaocn cert]# cat config.json 
{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

[root@liumiaocn cert]# cat csr.json 
{
    "CN": "example.net",
    "hosts": [
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

[root@liumiaocn cert]# 

步骤3: 创建CA证书所需要的配置文件

根据步骤2中生成的配置模版文件生成CA证书所需要的配置文件。

[root@liumiaocn cert]# mv config.json ca-config.json
[root@liumiaocn cert]# vi ca-config.json 
[root@liumiaocn cert]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
[root@liumiaocn cert]# 

步骤4: 证书签名请求的配置文件

根据步骤2生成的模版文件生成CA证书所需要的CSR证书签名请求的配置文件

[root@liumiaocn cert]# mv csr.json ca-csr.json
[root@liumiaocn cert]# vi ca-csr.json 
[root@liumiaocn cert]# cat ca-csr.json 
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names":[{
    "C": "CN",
    "ST": "LiaoNing",
    "L": "DaLian",
    "O": "kubernetes",
    "OU": "kubernetes"
  }]
}
[root@liumiaocn cert]#

步骤5: 生成CA私钥、CSR文件和CA证书

执行命令:…/cfssl gencert -initca ca-csr.json | …/cfssljson -bare ca

[root@liumiaocn cert]# ls
ca-config.json  ca-csr.json
[root@liumiaocn cert]# ../cfssl gencert -initca ca-csr.json | ../cfssljson -bare ca
2019/12/15 08:19:58 [INFO] generating a new CA key and certificate from CSR
2019/12/15 08:19:58 [INFO] generate received request
2019/12/15 08:19:58 [INFO] received CSR
2019/12/15 08:19:58 [INFO] generating key: rsa-2048
2019/12/15 08:19:58 [INFO] encoded CSR
2019/12/15 08:19:58 [INFO] signed certificate with serial number 70459559078642252693355267095723608645726377632
[root@liumiaocn cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem
[root@liumiaocn cert]# file ca.csr ca-key.pem ca.pem 
ca.csr:     PEM certificate request
ca-key.pem: PEM RSA private key
ca.pem:     PEM certificate
[root@liumiaocn cert]# 

步骤6: 创建server端所需要的CSR配置文件

创建如下所需要的server端配置所需要的内容

[root@liumiaocn cert]# vi server-csr.json
[root@liumiaocn cert]# cat server-csr.json 
{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "192.168.163.121",
    ".10.254.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "CN",
    "ST": "LiaoNing",
    "L": "DaLian",
    "O": "kubernetes",
    "OU": "kubernetes"
  }]
}
[root@liumiaocn cert]# 

步骤7: 生成server端证书

执行命令:…/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem
–config=ca-config.json -profile=kubernetes
server-csr.json | …/cfssljson -bare server

[root@liumiaocn cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  server-csr.json
[root@liumiaocn cert]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
> --config=ca-config.json -profile=kubernetes \
> server-csr.json | ../cfssljson -bare server
2019/12/15 08:29:55 [INFO] generate received request
2019/12/15 08:29:55 [INFO] received CSR
2019/12/15 08:29:55 [INFO] generating key: rsa-2048
2019/12/15 08:29:56 [INFO] encoded CSR
2019/12/15 08:29:56 [INFO] signed certificate with serial number 337984452459218016032373756387935973667527680579
2019/12/15 08:29:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@liumiaocn cert]# ls server*
server.csr  server-csr.json  server-key.pem  server.pem
[root@liumiaocn cert]#

证书结果确认

[root@liumiaocn cert]# ../cfssl-certinfo -cert server.pem
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "kubernetes",
    "organizational_unit": "kubernetes",
    "locality": "DaLian",
    "province": "LiaoNing",
    "names": [
      "CN",
      "LiaoNing",
      "DaLian",
      "kubernetes",
      "kubernetes",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "kubernetes",
    "organizational_unit": "kubernetes",
    "locality": "DaLian",
    "province": "LiaoNing",
    "names": [
      "CN",
      "LiaoNing",
      "DaLian",
      "kubernetes",
      "kubernetes",
      "kubernetes"
    ]
  },
  "serial_number": "337984452459218016032373756387935973667527680579",
  "sans": [
    ".10.254.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "192.168.163.121"
  ],
  "not_before": "2019-12-15T13:25:00Z",
  "not_after": "2020-12-14T13:25:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "3A:2E:15:93:5:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:8:EA",
  "subject_key_id": "2:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIEljCCA36gAwIBAgIUOzO/PFQ1NhwjrD6adzmLs4XHYkMwDQYJKoZIhvcNAQEL\nBQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMx\nEzARBgNVBAMTCmt1YmVybmV0ZXMwHhcNMTkxMjE1MTMyNTAwWhcNMjAxMjE0MTMy\nNTAwWjBwMQswCQYDVQQGEwJDTjERMA8GA1UECBMITGlhb05pbmcxDzANBgNVBAcT\nBkRhTGlhbjETMBEGA1UEChMKa3ViZXJuZXRlczETMBEGA1UECxMKa3ViZXJuZXRl\nczETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAMp6qS0hPYtxffzDTgyCAx+bygxlk5BgKKKMthatJnLMJn19GO1mKwcq\n8izsa7Ub1S3bSC6R/LjfT8QFA20t7RMrxd0PefihAYRrxnsoH0mGjJnNx+XrI+JG\nJnSdOKhKBBdp0oNvi5J/oG2mlAx+GCtrp6bU12G6rbc/DDR5zWfCieGrP42boCm+\nlk44MiGIAY9IKdlozxwGOAwNutI4D96XJClMa9nznv6uH97G6aGAmflucVXpZ3dP\nxvmmwzeNyXtyqdR63FklCFkM7tJI1mT4LVvgXGjEhJlH718nmLkXkH8aHqFsCWxK\nrRbnGybtw6fUqXmK2yVx6UzpXd3AdB0CAwEAAaOCASYwggEiMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUAmyhghh/R1X1lO667xGnln9S24swHwYDVR0jBBgwFoAUOi4V\nkwVy0Jn/80/ShugU512yCOowgaIGA1UdEQSBmjCBl4ILLjEwLjI1NC4wLjGCCmt1\nYmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVz\nLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBMCoo3kwDQYJKoZIhvcN\nAQELBQADggEBAL2wyCWLMA9S2k/nAuxNEzCaMjN65kR/YfhGhFGLRBlzB+5w4ACJ\nfddQT3VSbQM8ywYcgLzCw/xtRpM3PDMa3pKgCUcg0Xn1mhISTxWUaf6NfUimZlH1\nr+ukvl6F6ghcsRvyc3Cta56LYR6NT6Xa4vZ86jI5DSs6THgQ0/ZMhSvqm6a3QGFT\n+lmeg5Hh/YOdqsbzo9Z57jUEshH+1DVoChibKi80N9HGjPwRa3Rgj9NUq211Z0aN\nyWP3i5SluprugWq2/9hGibECHDUwyJWfNX9ZVyPVLMi3TM6pFU8RfVCY9Og+9d9X\ncIR0wGn7NunvLYqNRV163RIlOIQAI/oVz/U=\n-----END CERTIFICATE-----\n"
}
[root@liumiaocn cert]# 

可以看到实际这是x509 v3格式的证书,也可以直接使用openssl命令确认证书的内容,只是显示的方式有所不同。

[root@liumiaocn cert]# openssl x509 -noout -in server.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3b:33:bf:3c:54:35:36:1c:23:ac:3e:9a:77:39:8b:b3:85:c7:62:43
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes
        Validity
            Not Before: Dec 15 13:25:00 2019 GMT
            Not After : Dec 14 13:25:00 2020 GMT
        Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82:
                    03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad:
                    26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec:
                    6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05:
                    03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b:
                    c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46:
                    26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f:
                    a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba:
                    ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b:
                    a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68:
                    cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c:
                    6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e:
                    71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72:
                    a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8:
                    2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17:
                    90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed:
                    c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0:
                    74:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                02:6C:A1:82:18:7F:47:55:F5:94:EE:BA:EF:11:A7:96:7F:52:DB:8B
            X509v3 Authority Key Identifier: 
                keyid:3A:2E:15:93:05:72:D0:99:FF:F3:4F:D2:86:E8:14:E7:5D:B2:08:EA

            X509v3 Subject Alternative Name: 
                DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121
    Signature Algorithm: sha256WithRSAEncryption
         bd:b0:c8:25:8b:30:0f:52:da:4f:e7:02:ec:4d:13:30:9a:32:
         33:7a:e6:44:7f:61:f8:46:84:51:8b:44:19:73:07:ee:70:e0:
         00:89:7d:d7:50:4f:75:52:6d:03:3c:cb:06:1c:80:bc:c2:c3:
         fc:6d:46:93:37:3c:33:1a:de:92:a0:09:47:20:d1:79:f5:9a:
         12:12:4f:15:94:69:fe:8d:7d:48:a6:66:51:f5:af:eb:a4:be:
         5e:85:ea:08:5c:b1:1b:f2:73:70:ad:6b:9e:8b:61:1e:8d:4f:
         a5:da:e2:f6:7c:ea:32:39:0d:2b:3a:4c:78:10:d3:f6:4c:85:
         2b:ea:9b:a6:b7:40:61:53:fa:59:9e:83:91:e1:fd:83:9d:aa:
         c6:f3:a3:d6:79:ee:35:04:b2:11:fe:d4:35:68:0a:18:9b:2a:
         2f:34:37:d1:c6:8c:fc:11:6b:74:60:8f:d3:54:ab:6d:75:67:
         46:8d:c9:63:f7:8b:94:a5:ba:9a:ee:81:6a:b6:ff:d8:46:89:
         b1:02:1c:35:30:c8:95:9f:35:7f:59:57:23:d5:2c:c8:b7:4c:
         ce:a9:15:4f:11:7d:50:98:f4:e8:3e:f5:df:57:70:84:74:c0:
         69:fb:36:e9:ef:2d:8a:8d:45:5d:7a:dd:12:25:38:84:00:23:
         fa:15:cf:f5
[root@liumiaocn cert]# 

参考内容

https://kubernetes.io/docs/concepts/cluster-administration/certificates/

淼叔 CSDN认证博客专家 神经网络 TensorFlow NLP
资深架构师,PMP、OCP、CSM、HPE University讲师,EXIN DevOps Professional与DevOps Master认证讲师,曾担任HPE GD China DevOps & Agile Leader,帮助企业级客户提供DevOps咨询培训以及实施指导。熟悉通信和金融领域,有超过十年金融外汇行业的架构设计、开发、维护经验,在十几年的IT从业生涯中拥有了软件开发设计领域接近全生命周期的经验和知识积累,著有企业级DevOps技术与工具实战。
已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 数字20 设计师:CSDN官方博客 返回首页