命令下载工具(傻瓜式执行)
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
创建自签CA
cat > ca-config.json<< EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
EOF
生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
可以查看有没有生成
ls *pem
使用自签 CA 签发 Etcd HTTPS 证书(这里的ip要改成自己k8s的集群ip)
{
"CN": "etcd",
"hosts": ["192.168.102.48", "192.168.102.49", "192.168.102.50"],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}]
}
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
这里如果报错的话,要检查server-csr.json 这个里面json有没有错
查看有没有生成对应证书
ls server*pem
完结