etcd推荐使用cfssl工具来生成证书进行验证
1、cfssl安装
以x86_64 Linux为例
mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin
离线安装的情况,直接把两个文件下载下来重命名即可
2、生成ca证书
生成ca的配置文件
mkdir ~/cfssl
cd ~/cfssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
三大证书类型介绍:
client certificate: is used to authenticate client by server. For example etcdctl, etcd proxy, fleetctl or docker clients.
server certificate: is used by server and verified by client for server identity. For example docker server or kube-apiserver.
peer certificate: is used by etcd cluster members as they communicate with each other in both ways.
三大证书都由CA证书进行签发
其中ca-config.json中的expiry: 这个属性是指定证书的有效时间
然后执行命令生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
会得到ca-key.pem、ca.csr、ca.pem;其中
Please keep ca-key.pem file in safe. This key allows to create any kind of certificates within your CA.
csr证书在这里面用不到。
至此,CA证书生成完毕,后面利用CA证书来生成server证书和client端的证书。
3、server证书
生成server证书的配置文件