一、cfssljson简介
大多数cfssl命令的输出内容都是JSON格式的,而cfssljson工具可以将这些JSON格式的输出内容作为输入内容,并按照key键(key, certificate, CSR, and bundle)将之区分然后输出。
二、相关命令
[root@master01 cfssl]# /opt/kubernetes/bin/cfssljson -h
Usage of /opt/kubernetes/bin/cfssljson:
-alsologtostderr
log to standard error as well as files
-bare
the response from CFSSL is not wrapped in the API standard response
-f string
JSON input (default "-")
-log_backtrace_at value
when logging hits line file:N, emit a stack trace
-log_dir string
If non-empty, write log files in this directory
-logtostderr
log to standard error instead of files
-stderrthreshold value
logs at or above this threshold go to stderr
-stdout
output the response instead of saving to a file
-v value
log level for V logs
-version
print version and exit
-vmodule value
comma-separated list of pattern=N settings for file-filtered logging
[root@master01 cfssl]#
1、/opt/kubernetes/bin/cfssl gencert -ca=“./ca.pem” -ca-key=“./ca-key.pem” ca-csr.json | /opt/kubernetes/bin/cfssljson -bare hello
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert -ca="./ca.pem" -ca-key="./ca-key.pem" ca-csr.json
2023/07/19 07:56:30 [INFO] generate received request
2023/07/19 07:56:30 [INFO] received CSR
2023/07/19 07:56:30 [INFO] generating key: ecdsa-256
2023/07/19 07:56:30 [INFO] encoded CSR
2023/07/19 07:56:30 [INFO] signed certificate with serial number 552297536142797801701050543379858957627076600008
{"cert":"-----BEGIN CERTIFICATE-----\nMIICHDCCAcGgAwIBAgIUYL3gyEW2mGq1VOc7KxuUOi9vYMgwCgYIKoZIzj0EAwIw\nSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTkxNDUyMDBaFw0yNDA3\nMTgxNDUyMDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN\nU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAARLZSvj06Kn6QpdKUTCCmBdxXx9GnxLsk74v1fLOEeoRL9l\nCeiJP3CKJjmAQFuOs5pJiqSq3hf/HTTQvn6MUvwYo4GIMIGFMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQUINBCrYV0lWu5/hfpQDc546Aa+A8wJwYDVR0RBCAwHoILZXhh\nbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggqhkjOPQQDAgNJADBGAiEA6xhq\nTljHWnMyNeNoKm7WN+kCTJ8Wqu7sb6eXUuJFWBsCIQDZVCA3whsPrMu5Makd08jO\ng+HJeUfRxmf+pSXHUz27vQ==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPTCB5AIBADBIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28xFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAES2Ur49Oip+kKXSlEwgpgXcV8fRp8S7JO+L9XyzhHqES/\nZQnoiT9wiiY5gEBbjrOaSYqkqt4X/x000L5+jFL8GKA6MDgGCSqGSIb3DQEJDjEr\nMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq\nhkjOPQQDAgNIADBFAiEAuCoWMfVlFGcJc7Lcaf7TJ8UAfB/SqN0L2tS1xmqNvXkC\nIDp4jfmQQUMtOn1wuzlk9PmPcquR9QmOghZzAtQn1MiX\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIFqsPN7eccI9UtjB7ZuZdcpe4tygw3ch4jkDGcrQbs2WoAoGCCqGSM49\nAwEHoUQDQgAES2Ur49Oip+kKXSlEwgpgXcV8fRp8S7JO+L9XyzhHqES/ZQnoiT9w\niiY5gEBbjrOaSYqkqt4X/x000L5+jFL8GA==\n-----END EC PRIVATE KEY-----\n"}
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert -ca="./ca.pem" -ca-key="./ca-key.pem" ca-csr.json | /opt/kubernetes/bin/cfssljson -bare hello
2023/07/19 07:57:29 [INFO] generate received request
2023/07/19 07:57:29 [INFO] received CSR
2023/07/19 07:57:29 [INFO] generating key: ecdsa-256
2023/07/19 07:57:29 [INFO] encoded CSR
2023/07/19 07:57:29 [INFO] signed certificate with serial number 107459120904190039137506409066319320594339587273
[root@master01 cfssl]# ls -l hello*
-rw-r--r--. 1 root root 505 Jul 19 07:57 hello.csr
-rw-------. 1 root root 227 Jul 19 07:57 hello-key.pem
-rw-r--r--. 1 root root 794 Jul 19 07:57 hello.pem
[root@master01 cfssl]#
2、 /opt/kubernetes/bin/cfssl gencert -ca=“./ca.pem” -ca-key=“./ca-key.pem” ca-csr.json | /opt/kubernetes/bin/cfssljson -bare hello - 与上述含义一样 - 代表从stdout中读取信息
3、 /opt/kubernetes/bin/cfssljson -bare -f hello.json hello 使用 -f 选项指定文件名
[root@master01 cfssl]# rm -f hello*
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert -ca="./ca.pem" -ca-key="./ca-key.pem" ca-csr.json > hello.json
2023/07/19 08:00:40 [INFO] generate received request
2023/07/19 08:00:40 [INFO] received CSR
2023/07/19 08:00:40 [INFO] generating key: ecdsa-256
2023/07/19 08:00:40 [INFO] encoded CSR
2023/07/19 08:00:40 [INFO] signed certificate with serial number 275536114753805388111350921490052209373866118965
[root@master01 cfssl]# cat hello.json
{"cert":"-----BEGIN CERTIFICATE-----\nMIICGzCCAcGgAwIBAgIUMEN3edn/JQ1lc2vTh7+kuChETzUwCgYIKoZIzj0EAwIw\nSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTkxNDU2MDBaFw0yNDA3\nMTgxNDU2MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN\nU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAASpHE8gmfPxMT6ieRaPsenhHYEGWQE1jEasn0PthfHrGPkw\nyEfoK2ucpmxWSjhm9dxvs5FRjN65yaVcRWsbqzEYo4GIMIGFMA4GA1UdDwEB/wQE\nAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw\nADAdBgNVHQ4EFgQU8yqKTObwkaGBk6udiOjxCmLTJLowJwYDVR0RBCAwHoILZXhh\nbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggqhkjOPQQDAgNIADBFAiBLMACv\ntYndT06oL6Jy8ZjRe9VcLsTov8qm/Z/uRlvyTQIhAPP76QXm5XvoaPYntMHGB4c/\noV9DylArX4fTafSSBAAn\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPDCB5AIBADBIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28xFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEqRxPIJnz8TE+onkWj7Hp4R2BBlkBNYxGrJ9D7YXx6xj5\nMMhH6CtrnKZsVko4ZvXcb7ORUYzeucmlXEVrG6sxGKA6MDgGCSqGSIb3DQEJDjEr\nMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq\nhkjOPQQDAgNHADBEAiBoizyvmdvUuQQdhZQXiigu60mpUg8sMrsT/X9+BkBKxAIg\nTPR9UJy/BaxDDLQvZfRZJ8CyShiqLyf2mw9muYt3giE=\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEILpDMDqmqjaFuuf8QSV5yUiqfqdHvzonMpSIne8ABugjoAoGCCqGSM49\nAwEHoUQDQgAEqRxPIJnz8TE+onkWj7Hp4R2BBlkBNYxGrJ9D7YXx6xj5MMhH6Ctr\nnKZsVko4ZvXcb7ORUYzeucmlXEVrG6sxGA==\n-----END EC PRIVATE KEY-----\n"}
[root@master01 cfssl]# /opt/kubernetes/bin/cfssljson -bare -f hello.json hello
[root@master01 cfssl]# ls -l hello*
-rw-r--r--. 1 root root 505 Jul 19 08:01 hello.csr
-rw-r--r--. 1 root root 1580 Jul 19 08:00 hello.json
-rw-------. 1 root root 227 Jul 19 08:01 hello-key.pem
-rw-r--r--. 1 root root 790 Jul 19 08:01 hello.pem
[root@master01 cfssl]#
4、-bare选项 -bare选项一定要加上,否则会报错
[root@master01 cfssl]# /opt/kubernetes/bin/cfssljson -f hello.json hello
Request failed:
[root@master01 cfssl]# /opt/kubernetes/bin/cfssljson -bare -f hello.json hello
[root@master01 cfssl]#
具体含义详见 create a new csr