创建根证书
创建文件夹
mkdir /opt/certs
下载 cfssl 文件
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
更改名称
mv cfssl-certinfo_linux-amd64 cfssl-certinfo
mv cfssljson_linux-amd64 cfssl-json
mv cfssl_linux-amd64 cfssl
给与执行权限
chmod +x cfssl*
移动到系统命令库
mv cfssl* /usr/bin
查看命令
which cfssl
which cfssl-json
which cfssl-certinfo
获取默认模版
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr> ca-csr.json
更改 ca-csr.json 文件如下
vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
更改 ca-config.json 文件
vim ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
签发根证书
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
到此根证书的创建完成